1 / 50

BCS SOCIETY DORSET BRANCH

Risk Management & Control: Art or Science?. Ross Palmer   MIIA, FIIA, CISA, FBCS CITP. BCS SOCIETY DORSET BRANCH. Wednesday 5th March 2008. About Myself. Been working for 41 years! Jobs: MSS - Reception & Claims Assessment Clerical Officer MPNI - National Insurance Inspector

lela
Download Presentation

BCS SOCIETY DORSET BRANCH

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Risk Management & Control: Art or Science? Ross Palmer   MIIA, FIIA, CISA, FBCS CITP BCS SOCIETY DORSET BRANCH Wednesday 5th March 2008

  2. About Myself • Been working for 41 years! • Jobs: • MSS - Reception & Claims Assessment Clerical Officer • MPNI - National Insurance Inspector • DHSS - Regional Directorate Operations Manager • DSS – IT Services Agency (ITSA) Projects Manager • Internal Auditor • Computer Auditor • Computer Audit Manager • Government, banking and business services. • Currently Computer Audit Manager for HRG (Hogg Robinson Group). • Relevant qualifications: • MIIA/FIIA - Member/Fellow of the Institute of Internal Auditors, UK & Ireland • CISA - Certified Information Systems Auditor, ISACA • FBCS CITP – Chartered Fellow of the British Computer Society • Present Chair of the British Computer Society Information Risk Management & Assurance (BCS IRMA) specialist group.

  3. Why does risk management matter? “Troubles add up at Nike” Jeff Manning -- The Oregonian, May 4, 1997The Beaverton shoe giant faces slower sales growth, labor and wage controversies in its foreign factories and an unnerving 27 percent drop in its stock price. Portland -- After two years of ripping through the industry like a tornado in a trailer park, Nike Inc. is suddenly losing momentum. Retailers large and small report consumer demand for Nike products has levelled off and, in some cases, declined. Retailers say a small but noticeable fraction of customers are avoiding the brand on principle. Alarmed by reports of labor abuses in Third World factories, some shoe consumers say they want nothing to do with the dominant name in the industry. "We've seen a slight drop-off in Nike sales," said Pat Sweeney, president of the Fleet Feet store in Sacramento, Calif. "I think it's because of the bad publicity the company's been getting on their labor policies."

  4. Why does risk management matter?

  5. Why does risk management matter?

  6. Why does risk management matter? • Severe flooding has affected principal cities across Europe including Paris, Dresden, Prague and Gloucester

  7. Why does risk management matter? Organisations, especially those with modest margins, naturally do not want to spend time and money on something that will probably never happen ... ... until it happens! So, how do we make it easy for organisations to prepare for adversity? • Between 20 and 22 October, the city of Manchester experienced 4 earth tremors, one of which reached 3.9 on the Richter scale – sufficient to knock bottles off shelves and cause the collapse of chimneys on residences. • The UK was also in the grip of an extensive firefighter’s strike at the time. Businesses were warned to review their disaster recovery plans. Answer: Risk Management and Control

  8. What is a Risk? The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to those assets. Guidelines for the Management of IT Security (International Standards Organisation) Something bad WILL happen Something good WON’T happen

  9. Examples of business risks • Financial • Operational • Reputational • Regulatory • Legal • Project • Health & Safety

  10. Typical IT-related risks • Non-availability of systems and/or data (temporary/long-term) + loss of work in progress at the time • Loss of key personnel (“single points of failure”) • Unauthorised, fraudulent or simply erroneous changes to data and programs, leading to loss of data integrity (accuracy) • Theft of assets – tangible or electronic • Confidentiality of personal information compromised • Symbolic actions (e.g. website defacement) and reputation/media damage – need to shut down service • Failure of a third-party supplier to deliver on its contract • Staff motivation/morale in reaction to adverse incidents

  11. Risk Management and Control – Some Definitions (1) • Risk Management: The selection of those risks a business should take and those which should be avoided or mitigated, followed by action to avoid or reduce (exposure to) risk. • Risk Analysis: Identifying the most probable threats to an organisation and analysing the related vulnerabilities of the organisation to these threats. • Risk Assessment: Evaluation of existing physical, logical and environmental controls and assessment of their adequacy/effectiveness relative to the potential threats to the organisation. • Business Impact Analysis: Identification of critical business functions and determination of the impact on the organisation of not performing them within acceptable tolerances. • Inherent/Gross Risk: The level of perceived risk without the application of dynamic influences (such as control procedures).

  12. Risk Management and Control – Some Definitions (2) • Residual/Net Risk: The level of perceived risk following the application of dynamic influences (such as control procedures). • Risk Appetite: The amount of risk, on a broad level, an entity is willing to accept in pursuit of objectives. • (Internal) Control: The policies, procedures, practices and organisational structures, designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. • Internal Audit: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. • Corporate Governance: The leadership, organisational structures and processes that ensure that the enterprise sustains and extends its strategies and objectives.

  13. Benefits of Formal Risk Management • A clear understanding of risk can enhance decision making • Exploit opportunities from a risk aware perspective • Contain damage/loss and avoid surprises • Effective direction and use of resources – look at real issues with less time spent “fire fighting” • Increased likelihood of achieving business objectives • Provide assurance to the Board and third parties that risks are managed to an acceptable level • Stimulate inter-team communication and motivation • Gives stakeholders greater confidence in our stewardship • No more sleepless nights

  14. Value-Added Risk Management High Managing risk to add value Return Exposed and destroying value Control to minimise risk Value Low Obsessed Ignorant Managing Approach to risk “Brakes off - out of control” “Brakes on - going nowhere”

  15. Traditional/New Vision Continuum • Historical/Traditional • Assign duties/supervise staff • Policy/rule driven • Limited employee participation • Narrow stakeholder focus • Auditors and other specialists are the primary control analysts/reporters • The New Vision • Empowered/accountable employees • Continuous improvement/learning culture • Extensive employee participation and training • Broad stakeholder focus/corporate governance • Staff at all levels, in all functions, are the primary control analysts/reporters

  16. The Risk Management Process – in a nutshell Establish the context Identify risks Analyse risks Monitor and review Communicate and consult Evaluate risks Treat risks

  17. The Risk Management Process – 1. Establish the context Establish the context Identify risks Analyse risks Monitor and review Communicate and consult Evaluate risks Treat risks

  18. 1. Establish the Context - Categorisation of Risk Environment Design of the business External Internal Alliances } Change in the parameters of the sector Change in the environment (general) How the business changes itself Service delivery alliances External events specific How business is executed Management and controls structure Customer alliances Event categories • Provides a common language for risk – helps avoid ambiguity • Helps identification of common risks and accumulations across divisions/processes/ geographical locations

  19. 1. Establish the Context – Risk Areas External Risks Internal Risks Alliance Risks • Human resources • Recruitment • Performance evaluation • Skills and competencies • Training and development • Promotion practice/career planning/ succession • Compensation/performance incentives • Retention • Discipline • Employee well-being and morale • Integrity • Fraud • Collusion • Illegal acts • Unauthorised use of assets • Theft • Ethics How the business is executed • Service delivery alliances • Partner/supplier selection • Ongoing relationship management/communication • Loss of intellectual property • Loss of customers • Supplier/partner failure • Quality • Cost • Dependency on partner/ supplier • Partner/supplier’s market place • Environmental risks • Sector risks • Environmental • Political/legal • Economic • Social • Technological • Financial • Gearing • Liquidity/cash flow • Profitability • Budgeting and planning • Financial instruments • Pricing • Credit • Pension fund • Taxation • Regulatory reporting • Management information • Reliability • Relevance • Timeliness • Adequacy • Performance measurement/indicators • Operational • Customer satisfaction • Quality • Product/service failure • Performance gap • Planning • Capacity • Sourcing • Brand name erosion • Winning/implementing new clients • Facilities • Health & Safety • Sector • Competitive rivalry • New entrants • Substitute products/services • Buyers • Suppliers • Information systems • Data integrity • Completeness and accuracy of update • Logical security • Availability • Data protection • Information systems infrastructure • Systems specification, selection/ development & implementation • Dependency on IT • Commercial & legal • Establishing commercial contracts • Interpretation and application of legislation/regulations/contracts • Directors and officers wrongful acts • Professional liability • Intellectual property • Insurance • Customer alliances • Customer acceptance • Ongoing relationship management/communication • Loss of intellectual property • Customer systems/control failure • Dependency on one/a few customers • Customer’s market place • Environmental risks • Sector risks • Other external • factors/events • Public image • Shareholder expectations • Capital availability • Hostile takeover • Catastrophic loss • How the business changes itself • Strategy formulation/implementation • Product/service development & launch • Merger/acquisitions/disposals • Entering new markets • Programme/project management • Overexpansion • Management and control structure • Leadership • Authority and responsibility • Communication • Organisational design • Organisational culture • Internal competition • Management review processes • Control failure

  20. The Risk Management Process – 2. Identify risks Establish the context Identify risks Analyse risks Monitor and review Communicate and consult Evaluate risks Treat risks

  21. 2. Identify Risks – Business Impact Analysis • A meeting or series of meetings of key stakeholders – the BUSINESS • “What are the five things that keep you awake at night?” • What will be the effect upon the BUSINESS of ...? e.g. • Loss of an invoicing system for 2 hours/half a day/2 days, etc. • Inability to access a business call centre due to toxic spill, crime scene, etc. • Prioritisation of the impacts upon the business

  22. 2. Identify Risks - Risk Workshop • Workshop(s) sessions: • Identification and classification • Measurement and priorities • Key stages • Brainstorm exercise to identify potential operational risks • Risk categorisation • Evaluate ideas to produce an agreed list of risks • Estimate expected impact and likelihood • Establish management priorities

  23. The Risk Management Process – 3. Analyse risks Establish the context Identify risks Analyse risks Monitor and review Communicate and consult Evaluate risks Treat risks

  24. 3. Analyse Risks - Risk Factors Factor 1 Factor 2 Is it going to happen to me? What is it going to mean to me if it does? Likelihood Uncertainty Chance Probability Odds Impact Exposure Vulnerability Effect Consequence X = Risk Scoring

  25. The Risk Management Process – 4. Evaluate risks Establish the context Identify risks Analyse risks Monitor and review Communicate and consult Evaluate risks Treat risks

  26. 4. Evaluate Risks - Risk Categorisation/Scoring

  27. 4. Evaluate Risks - Risk Prioritisation 1 KEY: High 4 3 8 2 6 5 High risk Moderate risk Low risk 9 7 Impact 10 11 Low High Low Likelihood

  28. 4. Evaluate Risks - Risk Matrix Process Risks (heat map) (Example only – does not represent actual risk profile)

  29. The Risk Management Process – 5. Treat risks Establish the context Identify risks Analyse risks Monitor and review Communicate and consult Evaluate risks Treat risks

  30. 5. Treat Risks - Strategies Terminatethe activity being undertaken which generates risk Terminate Reduce Reducethe risk by introducing new or enhancing existing controls Accept the risk where existing controls are felt to be adequate Pass on Accept Pass onthe risk to another party - for example, insure against it or outsource the function T.R.A.P.

  31. 5. Treat Risks - The Control Environment:Information Processing Objectives Confidentiality COMPLIANCE Availability Integrity Effectiveness Efficiency Economy

  32. 5. Treat Risks - The Control Environment:Definitions of high-level control objectives… Confidentiality: Prevention of disclosure of sensitive information resources to unauthorised individuals or organisations Integrity: Prevention of accidental corruption, deliberate unauthorised manipulation or inaccurate entry/processing of business information resources Availability: Prevention of business information stored in or processed by systems becoming lost or unavailable for an extended period Effectiveness:Maximising the conformance of outputs from an activity to a specification or need (meaning: “Doing the right things”) Efficiency:Optimising the ratio of inputs to outputs for an activity (meaning: “Doing things right”) Economy:Minimising the cost of the inputs to an activity or the resources needed to deliver a service (meaning: “Doing things cheap”) Compliance:Avoidance of breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.

  33. 5. Treat Risks - The Control Environment:A Hierarchy of Internal Control Internal controls can be categorised into the following: • Preventive Controls – (“before the fact”) • The most important control type since, if 100% effective (which it never is), none of the others would be necessary – physical barriers, passwords • Healthcare analogy: Prophylactics (e.g. immunisation programmes) • Detective Controls – (“after the fact”) • If a preventive mechanism fails, this is the first type of control necessary to identify this fact prior to correction – audit trails, monitoring • Healthcare analogy: Diagnoses (e.g. check-ups; ECGs) • Corrective Controls – (“before or after the fact”) • This type of control is designed to correct a problem – change control, overrides • Healthcare analogy: Surgery (e.g. heart by-pass; tumour excision) • Deterrent Controls – (“instead of the fact”) • Designed to advise against certain forms of action – security policy, logon warning • Healthcare analogy: Government Health Warnings (e.g. tobacco; alcohol)

  34. 5. Treat Risks - Risk and Control Residual or ‘exposed’ risk Control Pressure Riskcontrolled Unidentified risks Risks currently ‘hidden’ by control structure but may be exposed by major change

  35. IT Risk Management and Control – sources of inspiration There are a number of industry IT security standards that can assist compliance with governance requirements and in some cases grant a badge to an organisation to say “We are all certified here” (!!!???) These include: • The Standard of Good Practice for Information Security Information Security Forum (ISF) • Control Objectives for Information and related Technology (COBIT) • Information Security Management Systems - Requirements (ISO27001)

  36. Achieving Information Technology Governance - ISF • The Standard of Good Practice for Information Security • Produced by the Information Security Forum (ISF), an international association that co-operates in the development of information security and risk management best practices. • “The ISF's work probably represents the most comprehensive and integrated set of reports anywhere in the world ...” • Draws on the knowledge and experiences of the ISF's global members as well as building on other standards such as ISO 27001 and COBIT” • Available as free download from www.securityforum.org

  37. Achieving Information Technology Governance - ISF Breakdown of the standard:

  38. Achieving Information Technology Governance - COBIT • Control Objectives for Information and related Technology (COBIT) • Developed by the IT Governance Institute (ITGI) and the Information Security And Control Association (ISACA) • Provides over 300 IT control statements defining requirements addressing value delivery, risk management, regulatory compliance and IT investment. • Structured in 4 domains: Planning & Organisation; Acquisition & Implementation; Delivery & Support; Monitoring • Can be integrated with other respected standards such as ISO27001 and ISO9000 • Available as free download from www.itgi.org

  39. Achieving Information Technology Governance - COBIT Comprises 4 control “domains”: • Plan and Organise • Acquire and Implement • Deliver and Support • Monitor and Evaluate Containing 34 IT control processes, e.g. • Define a Strategic Plan • Manage Changes • Ensure Continuous Service • Monitor and Evaluate IT Performance

  40. Achieving Information Technology Governance - COBIT Topic structure (example)

  41. Achieving Information Technology Governance – ISO27001 • Information Security Management Systems - Requirements (ISO27001) • Developed initially as BS7799 by the British Standards Institute • Adopted as ISO17799 by the International Standards Organisation • Revised 2005 as ISO27001 • Structured under 11 security clauses, 39 control objectives and 133 control processes • Can be integrated with other respected standards such as ISO9000 (quality), ISO14000 (environmental), ISO15000 (service delivery) • Not available for free !! See www.bsi-global.com

  42. Achieving Information Technology Governance – ISO27001 • Security policy • Organisation of information security • Asset management • Human resources security • Physical and environmental security • Communications and operations management • Access control • Information systems acquisition, development and maintenance • Information security incident management • Business continuity management • Compliance ISO27001 – High level contents

  43. Q. Should Risk Management and Control be considered to be an Art or a Science? A. • Art:“The expression or application of human creative skill and imagination” • Science: “The intellectual and practical activity encompassing the systematic study of the structure and behaviour of the physical and natural world through observation and experiment” (From the Oxford Dictionary of English)

  44. Board Executive Group Business Risk Manager Internal Audit Businesses MDs/ Director responsible for matrixed function Risk Champions All managers and staff • Determine risk appetite • Agree risk policy and strategy • Satisfy itself that all risks are managed to an acceptable level • Governance disclosure in Annual Report Potential principles for roles and responsibilities - Board

  45. Develop risk policy and strategy • Analyse risk reports • Report risk status to Board Potential principles for roles and responsibilities – Executive Group Board Executive Group Business Risk Manager Internal Audit Businesses MDs/ Director responsible for matrixed function Risk Champions All managers and staff

  46. Provide support to Executive Group to develop risk policy and strategy and analyse risk reports • Analyse overall risk portfolio for accumulations and interdependencies • Assist businesses and matrixed functions to identify risks and establish treatment strategies • Set standards for risk reports • Maintain Risk Management Information System • Co-ordinate with other risk specialists • Provide additional services (eg project risk workshops) on request Potential principles for roles and responsibilities – Business Risk Manager Board Executive Group Business Risk Manager Internal Audit Businesses MDs/ Director responsible for matrixed function Risk Champions All managers and staff Role is to facilitate the risk management process and not to manage risks

  47. Quality assurance of risk management process • Test compliance at all relevant levels • Alongside Business Risk Manager promote the principles of self-assessment of risk and control status • Advise businesses in design of control portfolio and sign-off adequacy • Scope audit work on risk severity to the business • Undertakes special investigations upon request Potential principles for roles and responsibilities – Internal Audit Board Executive Group Business Risk Manager Internal Audit Businesses MDs/ Director responsible for matrixed function Risk Champions All managers and staff

  48. Ensure adequate risk management process is in operation • Report risk profile to the Executive Board • Obtain assurance that controls relied upon are working effectively and sign-off controls assurance statement • Matrixed functions also to report on risk profiles and effectiveness of controls to the businesses which “sub-contracted” to them Potential principles for roles and responsibilities - Directors Board Executive Group Business Risk Manager Internal Audit Businesses MDs/ Director responsible for matrixed function Risk Champions All managers and staff Can consult with Business Risk Manager or Internal Audit but remains responsible

  49. Responsible to MD for operation of risk management process • Communicates risk management policies and procedures to all management and staff • Acts as key contact point for managers and staff to report risks identified and proposed action • Liaison between business/matrixed functions re “sub-contracted” risks • Liaison with risk management specialists in “2nd line of defence” Potential principles for roles and responsibilities – Risk Champions Board Executive Group Business Risk Manager Internal Audit Businesses MDs/ Director responsible for matrixed function Risk Champions All managers and staff

  50. Management of risks within own sphere of operation in accordance with risk management policies and procedures • Report risk profiles to Risk Champion Potential principles for roles and responsibilities – Managers and Staff Board Executive Group Business Risk Manager Internal Audit Businesses MDs/ Director responsible for matrixed function Risk Champions All managers and staff

More Related