Through Wednesday 16th and Thursday 17th November, over 300 subject-matter experts will be sharing their insight through panel discussions, keynotes and breakout sessions, to give #RISK London attendees an exclusive deep-dive into the big issues impacting risk today.
#RISK London speaker, Michelle Griffey is Chief Risk Officer at Communisis, a role that sees her responsible for Operational Risk, Business Continuity Governance, Data Protection and Information Security Governance.
With a background in Financial Services, Michelle uses her experience to bring a practical and pragmatic approach to risk management, balancing the needs of highly regulated clients with the practicalities of business growth.
Michelle appears on a panel at #RISK London to explore privacy supply chain risks and how organisations can get the best out of collaborating with data sub-processors.
We caught up with Michelle to get an introduction into this important theme and to learn about her professional journey so far.
Could you outline your career pathway to date?
I began my career with Lloyds Banking Group, and I did a multitude of frontline-looking customer management. I worked in group risk in Lloyds as well, working in product and policy governance, and then went into Assurance and change governance. In my current role, I built the enterprise- wide risk framework for Communisis, and also look after data protection as the Data Protection Officer.
Could you give more detail on how risk goes up as the number of data processors increases?
If you have one data processor then you have your pool of data or sensitive personal data sitting in one place. You can wrap your arms around it, wrap your tools around it and understand what’s going on with it.
The more data processes you put in place, the more your visibility over that data can diminish, and the less you know about what’s going on with the data, unless you have strong oversight of the sub processors.
You can put audits in place and you can execute compliance checks but with the best will in the world, they’re not necessarily going to be ongoing at all times, in all places. Therefore, the data landscape that you’re looking at becomes more detached.
What practices should organisations be implementing as they bid to maintain visibility over data handled by sub-processors?
You need good supplier assurance routines when you on-board the suppliers to make sure that they have the right tools to protect the data and keep it safe and secure.
When you are using sub-processors for personal data, make sure that these assurances are ongoing wherever possible. It’s critical to ensure that sub-processors have the correct tools in place, but it’s equally important to have established good relationships. A healthy, positive relationship should engender trust.
If something goes wrong, or if a party suspects a gap exists, the sub-processor is far more likely to be proactive in sorting the issue out. Conversely, a poor relationship is likely to result in people keeping things to themselves if issues arise.
Are there cultural or structural changes that organisations should make in order to improve risk mitigation in the long term?
I think there are structural changes that need to be made. But it’s quite interesting to combine historically separate teams. In our organisation, we have InfoSec governance and data protection; we have operational risk and business continuity all sitting under the umbrella of a risk team.
You get a lot of insight where crossovers happen and people work together. You can also reduce risk of sending out questions to people working in the same areas, thus annoying workers in other areas of your organisation.
Incident Management, for example, fits into all of these areas, but if you can use the insights you get where structures overlap, then that’s really good and cuts down on duplicated processes.
From a cultural perspective, it’s more a case of winning hearts and minds. I think risk and data privacy has been directly something for compliance or risk teams to take care of, and other people can miss the importance of it. If you get people to realise how much these issues apply to them in the real world, then you’ll get more on board.
We could be talking about data on how you spend your money, what you do on the weekends, how much you get paid, etc. By framing it this way, people start to understand what data privacy means in reality, and this is crucial to getting good cultures in place.
Meet the expert: #RISK London
welcomes Michelle GriffeyMichelle Griffey will be among experts speaking at #RISK London,
coming to the Excel this week.
Through Wednesday 16th and Thursday 17th November, over 300 subject-
matter experts will be sharing their insight through panel discussions,
keynotes and breakout sessions, to give #RISK London attendees an
exclusive deep-dive into the big issues impacting risk today.
#RISK London speaker, Michelle Griffey is Chief Risk Officer at
Communisis, a role that sees her responsible for Operational Risk,
Business Continuity Governance, Data Protection and Information Security
Governance.
With a background in Financial Services, Michelle uses her experience to
bring a practical and pragmatic approach to risk management, balancing
the needs of highly regulated clients with the practicalities of business
growth.
Michelle appears on a panel at #RISK London to explore privacy supply
chain risks and how organisations can get the best out of collaborating
with data sub-processors.
We caught up with Michelle to get an introduction into this
important theme and to learn about her professional journey so
far.
Could you outline your career pathway to date?I began my career with Lloyds Banking Group, and I did a multitude of
frontline-looking customer management. I worked in group risk in Lloyds
as well, working in product and policy governance, and then went into
Assurance and change governance. In my current role, I built the
enterprise- wide risk framework for Communisis, and also look after data
protection as the Data Protection Officer.
Could you give more detail on how risk goes up
as the number of data processors increases?If you have one data processor then you have your pool of data or
sensitive personal data sitting in one place. You can wrap your arms
around it, wrap your tools around it and understand what’s going on with
it.
The more data processes you put in place, the more your visibility over
that data can diminish, and the less you know about what’s going on with
the data, unless you have strong oversight of the sub processors.
You can put audits in place and you can execute compliance checks but
with the best will in the world, they’re not necessarily going to be ongoing
at all times, in all places. Therefore, the data landscape that you’re
looking at becomes more detached.
What practices should organisations be
implementing as they bid to maintain visibility
over data handled by sub-processors?You need good supplier assurance routines when you on-board the
suppliers to make sure that they have the right tools to protect the data
and keep it safe and secure.
When you are using sub-processors for personal data, make sure that
these assurances are ongoing wherever possible. It’s critical to ensure
that sub-processors have the correct tools in place, but it’s equally
important to have established good relationships. A healthy, positive
relationship should engender trust.
If something goes wrong, or if a party suspects a gap exists, the sub-
processor is far more likely to be proactive in sorting the issue out.
Conversely, a poor relationship is likely to result in people keeping things
to themselves if issues arise.
Are there cultural or structural changes that
organisations should make in order to improve
risk mitigation in the long term.I think there are structural changes that need to be made. But it’s quite
interesting to combine historically separate teams. In our organisation, we
have InfoSec governance and data protection; we have operational risk
and business continuity all sitting under the umbrella of a risk team.
You get a lot of insight where crossovers happen and people work
together. You can also reduce risk of sending out questions to people
working in the same areas, thus annoying workers in other areas of your
organisation.
Incident Management, for example, fits into all of these areas, but if you
can use the insights you get where structures overlap, then that’s really
good and cuts down on duplicated processes.
From a cultural perspective, it’s more a case of winning hearts and minds.
I think risk and data privacy has been directly something for compliance
or risk teams to take care of, and other people can miss the importance of
it. If you get people to realise how much these issues apply to them in the
real world, then you’ll get more on board.
We could be talking about data on how you spend your money, what you
do on the weekends, how much you get paid, etc. By framing it this way,
people start to understand what data privacy means in reality, and this is
crucial to getting good cultures in place.
Don’t miss Michelle Griffey speaking at #RISK London in the
session: “Privacy Supply Chain Risks: Best Practices for Working
With Subprocessors.”
The session sits within a two-day agenda of insight and guidance at #RISK
London, Europe’s leading risk-focussed expo, taking place on November
16 and 17 at Excel, London.
The event unites thought leaders and subject matter experts for a deep-
dive into organisational approaches to handling risk. Content is delivered
through five content hubs, each featuring insightful sessions, case studies,
networking, high-level thought leadership presentations and panel
discussions.
DetailsSession: Privacy Supply Chain Risks: Best Practices for Working
With Subprocessors
Time: 14:25 – 15:10
Date: Thursday 17 November 2022
Venue: Excel, London
#RISK London is also available on-demand for global viewing.
Click here to book your place at #RISK London.
ENDS
No comments yet