Thought Leadership & Blogs

Cyber compliance across your member firm network

Written by Anthony Stevens | Sep 12, 2022

There's a fine balance you need to strike when managing the compliance needs of a global or local partnership.  Like all partnerships, the balance comes when considering the need for autonomy at a member firm level but at the same time the protection and consistency needed to ensure the quality (and protection) of your brand.  

I can confidently share this challenge as a former partner at KPMG.

Local markets, different service offerings and varied economic conditions necessitate a push-pull dynamic between the individual member firms and the parent brand.  

Cybersecurity and privacy concerns are obvious risks and challenges for a global partnership - the reputational risk alone would be terrible especially given that most advisory firms will have a market offering related to cybersecurity.

Monitoring compliance

There are a number of capabilities you need to quickly and easily uplift and monitor compliance activities around the world: 

  1. Set the bar. Define a standard or framework that you expect all member firms to meet - for example, this may be NIST CSF.
  2. Baseline. Undertake a baseline risk assessment for each member firm to understand where you are.
  3. Remediate. Once you know the risks and vulnerabilities, treat them to either remove or mitigate them.
  4. Manage ongoing. Compliance needs to be managed through an ongoing process to monitor, assess, and remediate.  

The solution

Ultimately, you want to ensure there's an information security management system in place for each member firm but with standards and agreed control frameworks defined at the group (parent level) and related reporting that can then flow 'up' for reasons of governance and oversight.  

From a schematic point of view, the solution looks something like this:

The 6clicks platform is unique in its ability to easily support this deployment model.

Key features include: 

  1. The ability to define the content (standards, laws, regulations, assessment libraries, control sets and risk libraries) at a group level and have this adopted with a 'click' at each member firm level;
  2. The ability to manage multiple GRC instances from one place while still making sure that the multiple entities have the autonomy to their own GRC. There are several use cases here such as franchisees, subsidiaries, entities managed by MSPs and advisors, private equity firms, and disparate departments in a single organisation. 
  3. The ability to streamline, automate, and closely monitor GRC activities at a granular level.
  4. The ability to initiate risk reviews and assessments to get a quick snapshot of the risks within the entity.
  5. As mentioned above, the ability of each entity to operate autonomously and also manage their data individually and adopt GRC at their own pace.

All these features are bundled into our unique Hub & Spoke architecture that supports multi-entity GRC. That means the power of automation and innovation replicated for multiple entities - 'spokes'; yet drastically reducing the effort of managing multiple entities by having a single 'hub'. 

 

In short, the Hub & Spoke model strikes the perfect balance between standardisation and autonomy. This is perfect for MSPs and advisors who need a better way to manage multiple clients and for organisations that need to manage multiple franchisees or subsidiaries. Read more about the value of this model for MSPs in our blog on GRC for MSPs.

What makes the Hub & Spoke model ideal for multi-entity GRC management is that it supports bi-directional communication. So even while the entities can operate independently, they can communicate with the hub and vice versa so that everyone involved has better control over the process from their respective perspectives. 

World-renowned GRC analyst Michael Rasmussen has investigated the Hub & Spoke architecture and its features to support multi-tenancy GRC. You can read about Michael's findings in the e-book GRC 20/20 Solution Perspective

In the below video, you can watch Michael Rasmussen and Dr Heather Buker talk about the need for distributed and autonomous GRC management and how 6clicks meets this need.

 

Final thoughts

Cyber compliance is becoming a mandatory consideration for organisations, not only to meet regulations but also to protect themselves from the looming cyber threat which is fast evolving. But while GRC implementation remains a complex and time-consuming activity, an innovative automation-based platform like 6clicks can make a massive difference.