 |
Speaking at OpRisk World 2015 recently, I was struck by the way in which the complexity of issues is increased by the disparity of terminology when talking about risk. For example, during the panel session on the “three lines of defense” strategy for GRC, much of the discussion focused on what that term actually means. And of course the difficulty is further increased when we work across languages, cultures and political systems, as is the rule here in Europe This disparity in terminology is one of the most difficult aspects of effective response to regulatory requirements. Privacy regulations in the European Union attempt to synthesize disparate regulations across the EU. But those regulations continue to differ from comparable regulations in the US and elsewhere in the world. How can an organization working in mulitple countries drive an effective compliance strategy if they are confronted by varying disparate regulations? One promising development is the specification of ontologies that enable a common understanding of disparate regulations and of risk. Led by organizations such as OMG, as well as industry and academia, considerable progress had been made in creating ontologies for financial services. The FIBO standard, for example, defines a common language for financial instruments, concepts and processes that can then be applied in strategies for effective regulatory compliance. The PARSIFAL project, funded under the EU FP7 program, has been working on an ontological model for risk.
(image from PARSIFAL Draft Ontology of Financial Risks and Dependencies) Such an ontological approach shows promise in establishing a common language regarding risk. The Archer experience at T-Systems showed the benefits of a common framework for risk management. A common language of risk would enable us to move toward the risk intelligence that is essential in advanced cyber defense. The post A Common Language for Risk Management appeared first on Speaking of Security - The RSA Blog and Podcast. |
