What exactly CYA is?
CYA stands for ‘Cover Your Ass’.
http://en.wikipedia.org/wiki/Cover_your_ass
According to the wiki;
CYA describes professional or organizational practices that serve to protect oneself from legal and administrative penalties, criticism, or other punitive measures. The Polite explanation of the abbreviation is “consider yourself accountable”
As a risk professional, I am seeing a lot of CYA in risk & compliance space.
So what is the motive behind CYA in Risk/Compliance space?
Simple; Risk is very subjective and Compliance are not exact science, most guidelines are open to interpretation. More over when an incident happens, every attention turns to risk & compliance officers.
Impact to the organization?
The risk professional who excessively doing CYA activities will become a risk averse person and tends to introduce controls that are not effective; both in terms of cost and to mitigate the risk.
So how to improve the situation? (my personal recommendation)
- Be clear & transparent in terms of what are you covering (obviously you are not covering all risks!) and most importantly what you are not going to cover as part of your risk assessment or duties. Risks especially Operational Risk are still a new subject to not only risk professionals but to other professionals working in the company.
- Formalize your own risk assessment (Keep your self out of trouble). Most people don’t realize that when they provide assurance either by providing positive/negative assurance to the business units, they are putting him/herself at risk. Remember that opinion = liability and opinion is very expensive. If the engagement is an agreed upon procedure/issue & recommendation, be clear to your stakeholder that you don’t provide any sort of assurance.
- Educate your stakeholder that there is no such thing called ‘absolute assurance’. Most of the risk/compliance professionals would know this but don’t assume that your stakeholders know it! Incident does happen from time to time but it doesn’t mean we need to put additional/extra controls.
and Most importantly be practical with your recommendation! completing a regulatory compliance checklist, identifying gaps are easy but to advise customer/clients with a solution that are practical while addressing the risk is still a challenge.
Let me know your thought!
Tags: Compliance, Cover Your Ass, CYA Security, Risk