In mid-November, the PCI Security Standards Council released its Risk Assessment Guidelines as a supplement to the PCI Data Security Standard (PCI-DSS). Expanding on the requirements outlined in section 12.1.2 of the PCI-DSS, the new document provides further guidance on the techniques and methods organizations should consider when addressing this requirement of the standard. As solid and prescriptive the PCI-DSS is, there are several areas – risk management being one – that are very hard to elaborate on beyond the basic requirements of having a risk management process without publishing an extensive treatise on risk management. The Special Interest Group of the PCI Council has taken this opportunity to expand on its risk management expectations through this special publication.
The traits described in the supplement are common to many organizations’ goal of an enterprise risk management program. Establishment of a Risk Assessment team, implementation of a common risk assessment framework, consistent risk identification methods and the evaluation, analysis and treatment of risks, as outlined in the publication, are core to the ERM strategies of many companies. This underscores the value of the ERM initiatives that are driving through companies today and is an indicator of what we can expect from regulatory, industry and legislative standards.
Risk-based approaches are becoming a fundamental component of compliance activities across the board. The inclusion of a risk management requirement is common in many industry standards. The PCI Council has taken the next step to provide more guidance and thus raising the bar on what is expected to meet this requirement.
Those companies that are struggling with supporting or justifying their ERM efforts can look to this trend as another source of rationalization. Risk management will be considered another key benchmark in a company’s compliance efforts.
Checking the box on “Do you have a risk management program?” will not be as simple as before. The expectations are being raised as standards bodies are recognizing the benefits, and intricacies, of a strategic risk management program.