Risk Management Lecture 3

7/22/2019 Risk Management Lecture 3

1/44

Lecture 3

Building an Information Risk

Management Toolkit:Practical Governance, Risk and Compliance

Dr. Barbara Endicott-Popovsky


2/44

QUICK REVIEW

Terminology


3/44

Todays organizations

are concerned about GRC:

Governance

(Enterprise) Risk Management Compliance


4/44

What is GRC?

Risk

Compliance

Governance

Processes, Systems and Controls by which

organizations defend the int

erests of the

stakeholders.

e.g. IFRS, COSO, OECD,

Clause 49

Possibility of loss or injury created by an

external entity or by a person.

Concept of acting in accordance with established laws,

regulations, protocols, standards and specifications.

E.g. SoX, HIPAA, FCPA

Operational Risk

Credit Risk

Market RiskX

X

Maclear LLC, 2012


5/44

GRC Components

GRC Application Controls

Transaction

Monitoring

SOD & Access Application

Configuration

Reporting AlertsDashboards

GRC Reporting & Analytics

GRC Process Management

Audit

Management

Assessment

GRC Infrastructure Controls

Change

Mgmt

Digital

Rights

Data

Security

Identity

MgmtRecords

Mgmt

Issue &

Remediation

Event & Loss

Mgmt

Maclear LLC, 2012


6/44

Governance, Risk Management and

Compliance Governance

Overall management approach thru which senior executives direct/controlthe entire organization, uses a combination of management information and

hierarchical management control structures.

Risk management

Set of processes thru which management identifies, analyzes, and responds

appropriately to risks that might adversely affect realization of the

organization's business objectives.

Compliance

Conforming with stated requirements. At an organizational level, it is

achieved through management processes which identify the applicablerequirements (defined for example in laws, regulations, contracts, strategies

and policies), assess the state of compliance, assess the risks and potential

costs of non-compliance against the projected expenses to achieve

compliance, and hence prioritize, fund and initiate any corrective actions

deemed necessary.

Maclear LLC, 2012


7/44

GRC Eco-System

GRC is the integration of:

Governance

Risk Management

Compliance Management

Ethics Management

Performance Management

Internal Controls

Information Assurance

Maclear LLC, 2012


8/44

Risk ManagementPolicy

Management

Compliance

Management

Corporate

Governance

Maclear LLC, 2012


9/44

Risk Management

Definitions and Terms

Purpose of Risk

Management

Managing the Upside and

Downside of Business RM Framework

Measuring Risk

Risk Assessment Approach

Risk Calculations Risk Reporting

Maclear LLC, 2012


10/44


Risk (n) Undesirable effect of uncertainty on achieving business objectives

Risk (v)

To put something in a state where it may encounter undesirable effects on

achieving objectives due to uncertainty.

Risk Management System or Framework A system that addresses risk and reward

Risk Management Process Process that establishes context and communicates with stakeholders about, risk

management; and identifies, analyzes, prioritizes, treats, and monitors whileaddressing reward.

Maclear LLC, 2012


11/44

Risk is like a fire: If controlled it will helpyou; if uncontrolled it will rise up and

destroy you.

Theodore Roosevelt

The purpose of risk management is to

change the future, not to explain thepastThe Book of Risk, Dan Borge

Maclear LLC, 2012


12/44

Purpose and Objectives of RiskManagement

To gain a comprehensive view of the significant financial,strategic, compliance, and operational risks across anorganization or entity.

To build a sustainable process within the business to

continually Assess, Improve, and Monitor the significant risksto achieving organizational objectives.

Optimal use of resources through risk-based decision making Cost-effective investments in defensive measures

Proper focus on issues of highest concern

To assist the business in realizing opportunities through abroader understanding of the risks they face.

Maclear LLC, 2012


13/44

All too confusing andoverdone Except when we

get in trouble

Must do it

But how do we do it better?

Keep Us Out of Trouble Make Our Business Better

goal

Growing Numberof Restatements

StifferSanctions

CatastrophicReputational

Consequences

Bigger Fines andSettlements

CriminalIndictments

Effective Use ofTechnology

CoordinatedRisk Activities

ExpandingRegulation

EnhancedBusiness

Processes

Reduced Total

Risk Spend

Better ProductOfferings

ImprovedCommunications

and Disclosure

Managing Upside and Downside

Maclear LLC, 2012


14/44

Corporate Risk Dimensions

Risks can be identified at various levels of an

organization called dimensions.

For instance technology risks can be grouped

into the following five risk dimensions:

Organizational Risks Functional Risks

Process & Technology Risks

Data Risks

External/Environmental Risks

Organizational

Functional

Data

Process & Technology

External & Environmental

Maclear LLC, 2012


15/44

Risk Calculations

Inherent Risk = Inherent Likelihood *

Inherent Impact

Residual Risk = Residual Likelihood *

Residual Impact

Inherent Risk = Threat Likelihood xMagnitude of Impact

15 Maclear LLC, 2012


16/44

Impact Criteria

Score RatingOperating

Income

Impact on Value

(EPSImpact onAnnual Guidance)

Description of Impact

Duration

Organizationaland operational

scope

Reputational impacton stakeholders (i.e.,

customers,shareholders, and

employees)Legal/ Compliance/

Environmental Impact

5 Critical>11%

>$2.5B

Significant reduction inmarket capitalization,

significant draw onliquidity reserve

(EPS >$0.25 )

SignificantRecovery

Period

Enterprise-wide:Inability to continuebusiness operations

Globally

Permanent loss ofstakeholder confidenceresulting in legal action,interruption in Enterpriseoperations globally, and

/ or defection tocompetition

Global restrictions onconducting business incertain product lines,

markets, or geographies.

4 High>4.4%

>$1.0B

Substantial reductionin market

capitalization,substantial draw on

liquidity reserve

(EPS > $0.10)

Recoverablein the LongTerm (i.e.,

24-36months)

2 or moredivisions:

Significant, ongoinginterruptions to

business operationswithin 2 or more

divisions

Sustained losses in 2 ormore stakeholder groups

Prohibited from conductingbusiness in certain product

lines, markets, orgeographies.

3 Moderate> 2.2%

>$500M

Limited reduction inmarket capitalization,

limited draw onoperating cash flow

(EPS $0.05)

Recoverablein the ShortTerm (i.e.,

12-24months)

1 or moredivision(s):

Moderate impactwithin 1 or more

division(s)

Moderate loss in 1 ormore stakeholder groups

Significant fines orlimitations on conducting

business in certain productlines, markets, or

geographies.

2 Low>1.10%

>$250M

Missed forecast(s)and/or budget(s),limited draw on

operating cash flow

(EPS $0.025)

Temporary(i.e., lessthan 12months)

1 division:

Limited impactwithin 1 division

Limited to minor/short-term loss in 1

stakeholder group

Limited actions against thecompany with limited effects

on operations.

1 Minimal> 0.50%

>$100M(EPS $0.01) Minimal Impact

Maclear LLC, 2012


17/44

Score Rating Consideration Probability Frequency

5 Expected

The risk event orcircumstance is relativelycertain to occur, or has

occurred within the pastyear

90-100% Almost Yearly

4 Highly LikelyThe risk event or

circumstance is highly likelyto occur

70-90% Every 2 to 3 Years

3 LikelyThe risk event or

circumstance is more likelyto occur than not


2 Not LikelyThe risk event or

circumstance occurring ispossible


1 SlightThe risk event or

circumstance is onlyremotely probable

< 10%Every 10 Years and

Beyond

Likelihood Criteria

Maclear LLC, 2012


18/44

Management Activity/Control LevelCriteria

Score Rating Action Description

5 Very High Effective

Controls and/or Management Activities properly designedand operating as intended, no defined opportunities forimprovement. There are no outstanding High or Medium riskaudit issues, no material weaknesses or significantdeficiencies as defined by SOX or the external auditors.

4 HighLimited Improvement

Opportunity

Controls and/or Management Activities properly designedand operating, with limited opportunities for improvementidentified. There are no outstanding High risk audit issues,no material weaknesses or significant deficiencies as defined

by SOX or the external auditors.

3 ModerateModerate Improvement

Opportunity

Key controls and/or Management Activities in place, withmoderate opportunities for improvement identified. Thereare no outstanding High risk audit issues. There may besome significant deficiencies as defined by SOX or theexternal auditors.

2 LowSignificant

ImprovementOpportunity

Limited controls and/or Management activities in place, highlevel of risk remains, significant opportunity for improvementidentified. There are outstanding High and / or Medium riskAudit issues or significant deficiencies as defined by SOX orthe external auditors.

1 Very LowCritical Improvement

Opportunity

Controls and/or Management Activities are non-existent orhave major deficiencies and dont operate as intended,

critical opportunity for improvement identified. There areoutstanding High risk audit issues or material weakness(es) asdefined by SOX or the external auditors.

NOTE: When evaluating the Management/Control Level for a particular risk event or circumstance, make the evaluation based on the existing management activities and/or

controls that exist both within defined business processes as well as at the entity level. The table provides guidance for choosing a score of 1 through 5.

Maclear LLC, 2012


19/44

Measuring Risk - Risk Map

Medium risk (high impact, low/ medium

likelihood)

Seek ways to reduce the impact of the

risk, should it occur

Investigate further to confirm

likelihood is not higher than believed

Assess processes and controls to

ensure risk will not worsen

High Risk (high impact, high likelihood)

Seek risk responses: avoid, transfer/share,

mitigate/reduce, accept

Remediate items causing the risk

Investigate the risk further to gain better

insight on how to respond

Risks falling at or near the risk tolerance level Accept the risk, since it is at/near tolerance

level Seek ways to reduce the likelihood or

impact of the risk

Assess processes/controls to ensure risk

will not worsen

Low risk (low impact, low likelihood)

Monitor the risk periodically to confirm it

has not increased

Medium risk (low/medium impact,

high likelihood)

Seek ways to reduce the likelihood of the risk

occurring

Investigate further to confirm that impact is not

higher than believed

Assess processes and controls to ensure risk

will not worsen

Risks falling at or near the risk tolerance levelAccept the risk, since it is at/near tolerance levelSeek ways to reduce the likelihood or impact of the riskAssess processes/controls to ensure risk will not worsen

Maclear LLC, 2012


20/44

Risk Levels and Impact of Risk TreatmentRepresentative Sample

# Tier 1 Risks

1 Privacy / Security of Crit Data

2 Business Continuity Mgmt

3 Corruption

4 Product Quality

5Financial Guidance and MktExpectations

6 HW Quality and Compliance

7 Taxation of Foreign Earnings

8 Credit and Collections

9 Y!

10 Data Management

AlmostCertain

LikelyPossibleUnlikelyRemote

54321

1Mild

2Moderate

3Serious

4Severe

5Catastrophic 1 24

3

7

6

9

8

5

10

Likelihood of Occurrence

SeverityofIm

pact

Inherent Risk

Residual Risk

Maclear LLC, 2012


21/44

Risk Responses

Avoid:Choosing not to participate in the activity that is associatedwith or causing the risk.

Transfer/share:Engaging another party to accept all or part of therisk. This can be through insurance, outsourcing risky tasks orentering into business arrangements/agreements whereby risk is

shared across parties or reassigned to the other party. Mitigate/reduce: Decrease the level of risk by either reducing the

probability that the risk might occur, or by taking measures that willcause the impact to be lessened should the risk occur.

Accept: Acknowledge the risk and choose to do nothing, thereby

accepting any potential impacts and consequences.

Maclear LLC, 2012


22/44

Risk Assessment Methodologies

National Institute of Standards & Technology

(NIST) Methodology

ISO 31000

OCTAVE

COSO ERM

FRAP

Risk Watch

22 Maclear LLC, 2012


23/44

Established Governance and RiskManagement methodologies

23

COSO

Enterprise Risk ManagementControl Objectives for Information and related

Technology

Companies often adopt a hybrid

McCumber cube - evaluating information

assurance programs

Maclear LLC, 2012
http://en.wikipedia.org/wiki/File:Mccumber.jpghttp://www.itil-officialsite.com/home/home.asp


24/44


Planning and Scoping

Business risk scenarios

Risk Universe

Assessment Risks and Controls

Management Recommendations

Action planning and execution Action tracking and reporting

Maclear LLC, 2012


25/44

Business Model:Vision & DirectionMonetization ModelBrand/Marketing StrategyChannel StrategyPricing StrategyCompetitive PositioningValue Chain StrategyMeasurement & Monitoring

Strategic Investments:M&APartner Alliance

Ecosystem InvestmentsR&D Investments

Market Dynamics:General Macro EnvironmentSocial-PoliticalTechnology ChangesTalent AcquisitionCustomer DemandConsumer LifestyleUGC/SharingUse of Mobile vs. PCPiracy

Business Model Disruptions:"Thin" Client ServicesOpen SourceAd-FundedVirtualizationOEM DisruptionChannel AlienationImportance of S/W H/W Coupling

Product Development:Product StrategySoftware DevelopmentProduct Development PartnersProduct Quality/IntegrityProduct SecurityProduct Release3rd Party Subsystems orFunctionality Integration

Sales & Marketing:Research and DevelopmentMarketing

AdvertisingProduct PricingSales and Marketing - PartnerManagementSales Contracting/Customer PricingOrder ManagementPublic Relations

Services:Consulting ServicesCustomer SupportService PartnersCustomer Operations

Supply Chain:Manufacturing Planning andForecasting/Product AvailabilityVendors/Partners/Contract ExecutionProcurementProductionInventory & Capacity ManagementDistribution ChannelsProduct Licensing/SubscriptionsProduct ComplianceSoftware Piracy

Corporate Governance:Board PerformanceGovernance FrameworkCorporate Citizenship

Legal Compliance:Ethics and Business ConductAnti-CorruptionFraud

Legal:Contract

IP/Source Code ProtectionIP InfringementPiracy/Counterfeiting

Regulatory:Antitrust and CompetitionLawExport Control and GlobalTradeLabor Laws and RegulationsSecuritiesEnvironmentData Protection and PrivacyProduct Safety

Planning & Resource Allocation:Operational and BusinessPlanningBudgeting and ForecastingCapital Expenditure PlanningOutsourcing

Treasury:Cash ManagementHedgingInvestingInsuringFunding

Credit and CollectionsSecurities LendingFinancial Reporting:GAAP AccountingExternal Reporting & DisclosureInternal Control/SOX 404/302Statutory ReportingInternal ReportingInformation & Reporting Integrity

Tax:Tax Strategy and PlanningTax OptimizationTransfer PricingProperty TaxesTax ComplianceInvestor Relations:Communications

Mergers, Acquisitions &Divestitures:Accounting for Mergers,Acquisitions & DivestituresInternal Audit:

People:CultureRecruiting & RetentionGlobal ResourcingDevelopment andPerformanceSuccession PlanningCompensation & BenefitsLabor RelationsEmployee CommunicationsOrganizational Structure

Information Technology:Infrastructure Resiliency andAvailabilityData PrivacyData Management, Integrityand QualityInfrastructure SecurityInformation System AccessIT Governance

Business Continuity:Natural EventsInformation TechnologyRecovery

Business Process RecoveryCrisis ManagementMan Made Events

Corporate Physical Security:Buildings and FacilitiesThreats of ViolenceIncidents of TheftLife Safety

StrategicFinancial/Reporting

OperationsLegal/

Compliance

ERM Risk Universe

Maclear LLC, 2012


26/44

Risk ReportingRisk Maps

ImproveAreas of high risk exposure with a low level of controlmust be key priority for improvements in managementand control activities.

MonitorAreas of high risk exposure where controls are deemedadequate should be monitored to provide ongoingassurance of control effectiveness.

AcceptAreas of low risk exposure that also have a lower levelof control may be consciously accepted by the

organization.

OptimizeAreas of low risk exposure with a high level of controlmay generate opportunities to optimize themanagement and control activities.

Accept

Improve

Optimize

Monitor

High

Low

Low HighManagement/Control Activity

Level

Risk

Exposure

(ImpactxLikelihoo

d)

Risk MapsThe Risk Map displays individual unit risks in relation to each other

based on the Impact and Likelihood assessment

Maclear LLC, 2012


27/44

Risk Management

Recap


Purpose of Risk Management

Managing the Upside and

Downside of Business

RM Framework Measuring Risk


Risk Calculations

Risk Reporting

Maclear LLC, 2012


28/44

Risk ManagementPolicy

Management

Compliance

Management

Corporate

Governance

Maclear LLC, 2012


29/44

Policy Management

Regulations and Corporate

Policies

Policies, Standards and

Guidelines

Policy ManagementLifecycle

Policy Compliance

Maclear LLC, 2012


30/44

Policy as Extension of the Rule of Law

Legal System

Corporate Boundary

Policy

Maclear LLC, 2012


31/44

Policy Management Lifecycle

1. Environment Changes

Consider corporate, risk andregulatory environments

2. Policy Development

Consider Ownership, Writingand Approval processes

3. Policy Communication

Consider publication,Training and Attestation

4. Policy Monitoring

Consider Enforcement andException management

5. Policy Maintenance

Consider Review andArchival processes

Maclear LLC, 2012


32/44

Promote Communicate the business value of compliance Communicate how we help achieve compliance value

Enable

Deliver and support the processes and tools that enable compliance

Prepare and support the people who are accountable for compliance

Monitor

Monitor compliance processes and tools

Measure the effectiveness of compliance, including processes and tools

Report

Report on the enterprise health of compliance

Provide business group reporting to management

Policy

Deployment

Compliance

Management

32

Policy Compliance

Maclear LLC, 2012


33/44

Policy Management

Recap Regulations and

Corporate Policies

Policies, Standards andGuidelines

Policy Management

Lifecycle

Policy Compliance

Maclear LLC, 2012


34/44

Risk

Management

Policy

Management

Compliance

Management

Corporate

Governance Maclear LLC, 2012


35/44

Compliance

Complying with Internal

and External Factors

Stakeholder challenges and

expectations

Emerging complianceissues

Compliance Risk Universe

Corporate Compliance

Framework

Maclear LLC, 2012


36/44

What are we hearing about complianceTraditional mindset driven by internal and external factors

goal

ExecutiveRemovals

StifferSanctions

CatastrophicReputational

Consequences(Personal and

Corporate)

Bigger Fines andSettlements

CriminalIndictments

EXTERNAL FACTORSINTERNAL FACTORS

International Mandates andVoluntary Codes

Legal/RegulatoryRequirements

Stock Exchange Listing RulesStakeholder ExpectationsRatings AgenciesPublic/Political Pressure

Transactions / M&AGlobal market expansionOutsourcingNew product launchesOverlapping complianceresponsibilities

Keep Us Out of Trouble

Potential Impacts of Non-Compliance

Maclear LLC, 2012

k h ld


37/44

Increasing Stakeholder Expectations

CEO ViewpointBoard Viewpoint Investor Viewpoint

Source: The Conference Board, June 2005Source: Ernst & Young Audit Committee Perspectives, 2007 Source: Ernst & Young Global, August 2005

Boards identify compliance as the

most significant risk in 2007.

Legal risk is the highest rated area in

which CEOs wont tolerate risk.

Investors expect transparent compliance

risk management strategies.

Major Initiatives

Regulatory

M&A/Divestitures

IT

Market Dynamics

People/HR

Legal

Financial

Operating

Strategic

Compliance

Insolvency

Competitive

Reputational

Security

Technology

Maclear LLC, 2012

i d i


38/44

Emerging Issues and Questions

How are leadingcompanies

defining compliance?

identifying their more significant compliance risks

and emerging (frontier) issues?

preventing and detecting non-compliance?

monitoring and measuring the effectiveness of their

compliance function?

aligning and coordinating compliance and risk

management activities? Embedding compliance into

the business?

leveraging their compliance investments to provide

benefit within their business units?

.defining a successful compliance function and

assigning ownership for its success? Maclear LLC, 2012

C t C li F


39/44

Corporate Compliance Framewor

ISO/IEC 27001:2005 certification

Statement of Auditing Standard 70 type II attestation

Certification and Attestations

Predictable Audit ScheduleTest effectiveness and assess risk

Attain certifications andattestations

Improve and optimizeExamine root cause of non-compliance

Track until fully remediated

Controls FrameworkIdentify and integrate

Regulatory requirements

Customer requirements

Assess and remediateEliminate or mitigate gaps incontrol design

Payment card industry data security standard

Health insurance portability and accountability act

Industry Standards and Regulations

FISMA (NIST 800-53 r3)

Sarbanes-Oxley, privacy laws, etc.

PCI DSS certification

FISMA certification andaccreditation

Maclear LLC, 2012


40/44

Compliance Process

Maclear LLC, 2012

R i li d R i


41/44

Rationalized Requirements

Maclear LLC, 2012


42/44

Compliance Recap

Complying with Internal

and External Factors

Stakeholder challenges and

expectations

Emerging compliance

issues

Compliance Risk Universe

Corporate Compliance

Framework

Maclear LLC, 2012


43/44

RiskManagement

Policy

ManagementControls &Compliance

Governance

Maclear LLC, 2012


44/44

Governance

Corporate governance

Set of processes, customs, policies, laws, and

institutions affecting the way a corporation is

directed, administered or controlled

Information Technology Governance,

Subset of corporate governance focused on ITsystem performance and risk management.

Risk Management Lecture 3

Documents

Transcript of Risk Management Lecture 3