| Franchesca Sanabria, Principal National Privacy Practice| Eric Dieterich, GM of Advisors & National Privacy Practice Lead| IIA Miami Chapter Conference| January 25, 2019

Finding your Privacy Pulse:How to Use KRIs to MeasureYour Privacy Risk

Focal Point Data Risk

Our Integrated Risk Management Portfolio

2

Technology Risk ConsultingSolve pressing IT and businesschallenges with expert consultingservices, with a focus on cybersecurity, data privacy, and advanceddata management.

Cyber Workforce DevelopmentBuild your cyber security workforcedevelopment program, evolving yoursecurity capabilities throughprescriptive learning programs andlab-intensive courses.

Technology IntegrationDelivers system implementationsand managed services forthe leading Identity Governanceand Access Management (IAM)and eGRC systems.

Audit and ComplianceOffers assessments, co-sourcing,and managed support to solveinternal audit and compliancechallenges, including SOX,HIPAA, and GDPR.

CoreServiceAreas

CYBERSECURITY

IDENTITYGOVERNANCE

CYBER WORKFORCEDEVELOPMENT

DATAPRIVACY

TECHNOLOGYINTEGRATION

DATAANALYTICS

INTERNALAND IT AUDIT

Our Holistic Approach

3

What are KRIs?• Key Risk Indicators (KRIs) can be used across an organizational to measure how risky an

activity is.1. Leading Indicators: Emerging risk trends for events that might happen in the future and

need to be addressed.• An increased amount of personal information being collected due to change in operations.• An increase in social engineering and phishing attacks.

2. Current Indicators: Where you currently sit with your risk exposure.• The number of staff that have yet to completed a new privacy regulation training.• The number of systems without encryption of data-at rest.

3. Lagging Indicators: Events that took place in the past that have the possibility of takingplace again.

• A breach of personal information.• A natural disaster impacting continuity of operations.

4

Attributes of a KRI

• Thresholds can be based on industry tolerance or internal acceptance• Senior Management should be aware / approve thresholds• Should coincide with risk appetite of the organization

5

AttributesQuantifiable Numbers, percentagesPredictable Show early warning signsAuditable Measure the status of risk and controlComparable Tracks trends over a period timeThresholds A pre-defined level that will trigger an action

Case Study: Wimbledon Investments• Wimbledon has established an Executive Management Risk Committee and framework as part

of their Enterprise Risk Management (ERM) program to assess risks.• Wimbledon used analytical data to identify and monitor their major risks.• KRIs have been most helpful for the company when they are used to manage uncontrollable

risks.• Success Story:

• Wimbledon has a concentration of mortgage borrowers employed by China’s miningindustry.

• They recognized that the health of mining companies was necessary for continuedemployment of borrowers.

• So a KRI they needed to consider was how can we predict when mining companies willexperience a downturn?

• In response Wimbledon's ERM began monitoring China’s economy including theemployment rate of mining companies, factors that could contribute to or affect theorganization’s investments.

6

The Difference between a KRI and KPI

Indicator Metric What does it measure? What is its purpose? Who is theaudience?

Key Risk Indicator(KRI)

Quantify risk

A snapshot of an organization’scurrent risk posture and riskmitigation techniques

Non-operational and focuses on riskidentification

Helps organizations understand therisks involved and the likelihood ofnot having a positive result

ExecutiveManagement andthe Board

Key PerformanceIndicator (KPI)

Measure performance (i.e., howeffectively something is operating)

Measures how well individuals,business units, projects areperforming according to their goals

Provide metrics for operationalperformance

Operations andMiddleManagement

7

The Challenges of Understanding Privacy Risks• Complex ecosystem of data sharing models, internally and externally.• Limited awareness of what data is most important to the organization and the

life cycle of the data (i.e., defining you crown jewels)• Legacy storage terms and uses of data conflicting with privacy-by-design

concepts (i.e., minimum necessary).• Potential alignment with a broad range of regulatory and industry standards.• Shared responsibilities for privacy across the enterprise, no single point of

ownership.

8

Benefits of Measuring Privacy RisksIn response to growing challenges, many organizations have begunfocusing on key risk indicators in addition to compliance assessments.• Enables and enhances continuous risk monitoring/reporting• Aids in decision making• Identifies privacy risks that may inhibit an organization’s ability to achieve

specific objectives• Enhances the risk management posture of the organization

9

What is a Privacy KRI?

What would causethis event to

happen?

RiskEvent

What would theconsequences be

if it occurs?

What are we doingto prevent it?

What plans are inplace to minimize

the damage?

Causes Consequences

• Privacy KRIs measure control effectiveness across a defined privacy riskframework.

• The goal of privacy KRIs are to identify actionable and measurable metrics forkey controls supporting an organization’s privacy program.

• Privacy KRIs also help an organization better understand their risk appetite.

KRIs measure both thecause and the consequences

of a possible risk:

How to Build the Privacy KRI Framework

11

4. Define privacy risks3. Identify existing privacyprocesses and practices

5. Define privacy controls

1. Identify Privacy andregulatory requirements of

the organization6. Define KRIs

2. Review the dataclassification and privacy

policy

Key Contributors

LegalPrivacyAudit

Information SecurityComplianceMarketing

Human Resources

Privacy KRIs - ExamplesPrivacy Domain Risk Control KRI

Third Party RiskManagement

Unauthorizedaccess that resultswhen a third party

exceeds ormisuses access

Third parties security due diligence isperformed over third parties upon

onboarding and throughout the duration ofthe relationship

% of vendors withaccess control

issues identified as“high risk”

Privacy Policiesand Frameworks

The act of notfollowing policies,

standards orprocedures

Exceptions to the Privacy Policies arereviewed and approved through a formal risk

acceptance process and revisitedperiodically

# of approvedexceptions to the

policy not revisitedwithin a definedperiod of time

Privacy-by-Design

New types of datacollected onwebsite notunderstood

Privacy Impact Assessments (PIA) areperformed during the design of new featureson website, including adding/modifying data

collected from customers

% of PIAs with amoderate or above

risk ranking

12

Privacy KRIs - Examples

13

Key privacy areas for which KRIs can be defined:• Privacy Notice• Consent Management• Privacy Complaints• Data Retention

How to Monitor the KRI Program• Track and report on KRIs• Leverage tools and dashboard reporting• Establish risk mitigation plans to address KRI limits• Reassess KRI inventory on a regular basis

14

Eric DieterichGM of Advisors & NationalPrivacy Practice Leadedieterich@focal-point.com786-390-1490

Franchesca SanabriaPrincipal, National PrivacyPracticefsanabria@focal-point.com917-903-4890