Compliance, Risk & Resilience Services

Helping clients become resilient, risk-managed organizations

Organizations increasingly face disruption as a sustained operating condition. The risk comes from the seemingly ubiquitous threat of cybersecurity incidents, supply chain failures, workforce challenges from public health crises, climate-related threats to physical infrastructure, and enhanced regulatory enforcement.

Well-managed organizations address this challenging enterprise risk environment by making operational resilience both a strategic imperative and a competitive advantage, and compliance an intended outcome. Boards establish these strategic governance objectives and expect senior management to execute them.

Operating successfully through inevitable disruptive crises requires consideration, planning and preparation to ensure the organization has, or builds, the predictable crisis response capability expected by stakeholders, regulators and customers.

Operational Continuity & Resilience

Enterprise Risk Management (ERM)

Cybersecurity Compliance & Risk Management

Cybersecurity Maturity Model Certification (CMMC 2.0) & Defense Federal Acquisition Regulation Supplement (DFARS)

Enterprise Risk Management (ERM)

The confluence of complex and disparate risks that confront organizations demands a disciplined way to evaluate risks and commit resources appropriate to their potential impact on strategy and execution.

To manage these risks, well-managed organizations have in common a process for identifying, assessing, and handling the risks they face.

Enterprise risk management (ERM) is an approach for identifying, assessing, and managing all types of risk the organization faces by priority, consistent with business objectives and risk appetite. It goes well beyond the traditional role of the risk manager and enables leadership to understand, prioritize and make consequential decisions. ERM enables companies to communicate, compare and decide on a preferred strategy to prioritize and address risks based on the company's objectives and risk appetite or tolerance. ERM provides a deliberate, strategy-based method for companies to accept, avoid, mitigate, transfer or exploit the risks inherent in their business model and operations strategy.

Our ERM approach provides a practical methodology and prism through which clients recognize, consider and articulate the risks that threaten their success; evaluate their approach to risk management; make optimal risk-based decisions; and develop risk-based decision-making throughout the organization to create enterprise value.

Our ERM advisory services include:

Independently assessing ERM program effectiveness
Developing and implementing ERM frameworks
ERM program maturity and benchmarking
Formulating the risk appetite statement
Identifying/assessing key risks, evaluating mitigation, and controls
Conducting Strategic Risk Reviews to refresh existing risk assessments
Quantifying risk and measuring risk performance
Organization, governance and reporting structure

Crisis situations require accelerated decision-making

Managing effectively through crisis with these types of plans is now expected of resilient and well-managed organizations. Stakeholders, regulators, markets and the media are unforgiving of management teams that do not prepare their organizations effectively for crisis situations and boards that do not demand it. Poor readiness leads to negative impact on reputation, financial performance, market value and an increased threat of enforcement action.

Companies should develop a "toolbox" of response plans within an overall crisis management governance framework. Crisis situations require accelerated decision-making that may have to leapfrog the conventional management and budget approvals process and normal communication systems.

Emergencies and crises seem to ironically occur when responsible persons are least connected, available and reachable. As a result, effective crisis plans are increasingly being built on innovative mobile platforms that can dynamically geolocate team members, support live multilingual collaboration and accelerate crisis management decision-making among geographically dispersed staff.

Our team provides practical, best-in-class business continuity planning and COOP solutions, facilitated services and technology platforms to private and public sector clients in virtually every industry. We maintain the technical expertise to help clients align their disaster recovery capacity with their continuity plans and help organizations manage crisis situations with these services and capabilities:

Business continuity management (BCM) strategic governance modeling for senior management
Current state assessments of BCPs and COOPs
Business impact assessments (BIA)
Risk-adjusted software application recovery policies
Plan upgrades on cloud-hosted SaaS and mobile platforms
Staff training programs and facilitated tabletop exercise and COVID look-back assessments
Regular plan maintenance programs
COVID-driven work-at-home and back-to-work assessments, plans and policies

Critical IT resources inventory and minimum equipment configuration
Critical application inventory, run books, recovery mode operational procedures
Disaster recovery plan preparation, development and testing
Recovery strategy alternatives for equipment and applications
Safety, security and vulnerability assessments
Plan review, assessment and development on desktop and mobile crisis management platforms
Facilitated structured walk-throughs and tabletop, functional, and full-scale exercises
Strategic crisis management frameworks and governance models

Cybersecurity Compliance & Risk Management

Cybersecurity remains among the most ubiquitous and pervasive enterprise risks addressed by compliance, legal, risk management and internal audit officers and board committees. When upwards of 85% of assets today are digital, cybersecurity universally affects organizations as one of the most malicious and consequential risks they face.

Not only have information technology and operating environments evolved into complex hybrid systems, but also the means, motivations, and skills of threat actors have rapidly matured to a state of tradecraft that is sophisticated, patient and perversely effective.

Regulators that recognize the inherent vulnerability of critical infrastructure in key industries to the evolving threat landscape are steadily putting more teeth into regulations, attestation systems, disclosure requirements and enforcement actions.

Well-prepared organizations should have cybersecurity programs based on the value of their assets, their risk profile and tolerance, the opportunity cost of breach-related operational downtime, and their regulatory obligations and enforcement exposure. It is never "one size fits all". Our perspective is that, because compromise of digital assets and systems is essentially inevitable, resilience must be the prudent endgame after efforts around prevention, detection and response have done their best.

Compliance advisory services for cybersecurity regulations:

Defense Industrial Base - practical preparation for binary new Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC) regulatory obligations for prime and subcontractors provided by former defense industry security experts
Healthcare - The Health and Human Services' Office of Civil Rights (HHC OCR) audit readiness, Health Insurance Portability and Accountability Act (HIPAA) security and privacy compliance for covered entities and business associates, meaningful use audits of electronic health records (EHR) systems, revenue cycle assessment and remediation
Financial Services - sustaining compliance with global, federal, and state cybersecurity regulations such as Federal Financial Institutions Examination Council (FFIEC) and New York State's 23 New York Codes, Rules and Regulations (NYCRR) Part 500

Cybersecurity strategy, policy, posture, and maturity

Posture measured against International Standards Organization (ISO), National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), CMMC, HIPAA and other cyber frameworks
Cyber-related mergers and acquisitions (M&A) due diligence
Policy and procedure development, socialization and training
Maturity strategy roadmaps and implementation oversight

Risk assessments, technical testing, and vulnerability remediation

Secure software development process
Penetration and vulnerability testing, phishing and social engineering tests
Current state program assessment - people, process and technology across network, web, and mobile security - and vulnerability remediation oversight and validation
Security assessments of industrial/process control systems that comprise the operational technology (OT) environment

Short-term Interim Management