An Interview with Roland Cloutier, Vice President and Chief Security Officer for ADP Worldwide: With more than $10 billion in revenues and 600,000 clients, ADP is one of the world’s largest providers of business outsourcing solutions, offering a wide range of human resource, payroll, tax and benefits administration solutions. ADP has also developed one of the most mature models of risk management, one that reaches across the corporation. Tripwire recently sat down with Roland Cloutier, Vice President and Chief Security Office for ADP Worldwide, for a discussion on risk management best practices.
Tripwire: How do your security management efforts align with ADP’s larger enterprise risk management efforts?
Roland Cloutier: I think about risk management as a risk wheel, with wedges representing broadly defined function areas, such as IT, business resiliency, tax, legal, etc. For each of those function areas, there is accountability and responsibility to manage, control and mitigate certain risks.
ADP uses the factor analysis of information risk (FAIR) model as our standard framework and process, which helps us determine the factors that contribute to risk of our assets, and the probability for frequency and magnitude of those factors. Those measurements are sent to our Enterprise Risk Management (ERM) division to create an overall risk picture.
Tripwire: How is governance managed?
ERM is our centralized risk management process. If there is a disagreement, such as, does the possible solution put shareholders at risk, the issue is then sent to the executive security council, which includes the CEO, CFO, CSO and legal counsel. There, the risk case and measurable impact to the organization is presented.
TW: How do companies not as mature as ADP get to your level of risk management?
RC: There are four “buckets” that have to be addressed. First, risk governance has to be defined through a business process, which includes an organizational policy and a documented process. Everyone in the company has to be made aware of it.
Second, the policy and process model has to be fair, reasonable, consistent and predictable, with each function area measured against the same model. That way people won’t feel they are being unfairly judged.
Third, risk assessment has to happen fast, either documented against a checklist or automated. People want answers.
And fourth, the security organization can never be the lone risk acceptor – there’s no pain to the business in that, and little buy-in to risk across the company.
However, when another business unit executive signs a document accepting responsibility and accountability for an area of risk, then risk management becomes a priority. This actually opens dialogue about how to manage risk situations, and encourages units to seek help.
You can do this whether your company has 50 employees or 150,000.
ADP moves a couple trillion dollars a year, and manages more social security numbers than the Social Security Administration. Our lifeblood is based on a code of ethics and ability to be accountable to our clients. We deal with people’s sensitive private information. Our executives and board want to know what we’re doing to manage risk.
TW: How does your security organization measure results?
Right now we are measuring how much use there is of our risk management process. But risk events should be measured against four factors: How fast was the risk identified; how fast was it resolved; how fast was the issue closed; and, did it impact the enterprise risk measurement. Being able to answer these four things is a measurement of maturity in the organization.
TW: How do you measure or compare business units, since they accept risk?
ERM does that through the CFO and CIO organizations to assess overall corporate and shareholder risk. With a hard-to-solve issue, where we’re not getting momentum through the risk process, or there is a systemic issue involved, then we bring that issue forward to ERM.
TW: What would you like to be doing a year from now that you’re not doing now?
RC: I want to be better at automation. I want the ability to plug an artificial intelligence or advanced analytics engine into our data that would show outliers of probable risk areas that we can’t currently see. Because what hurts the most? The stuff you don’t have a clue about, and that hurts after you get bit.
TW: For that reason, will you always lean on third party data to help determine that probability?
RC: Yes, always, because ADP has so many business units. Third party data, by that I mean external and business intelligence, gives us information that we hadn’t considered before.
Image courtesy of ShutterStock