250 likes | 615 Views
Building a Corporate Risk Culture. Shane Troyer, CPA, CIA, CFE, CISSP Principal Operational Advisory 403.508.1370 shane.troyer@ca.gt.com. Joost Houwen , CISA, CISSP, PCI QSA Western Canada Practice Leader IT Security 403.508.1381 joost.houwen@ca.gt.com. Agenda.
E N D
Building a Corporate Risk Culture Shane Troyer, CPA, CIA, CFE, CISSP Principal Operational Advisory 403.508.1370 shane.troyer@ca.gt.com JoostHouwen, CISA, CISSP, PCI QSA Western Canada Practice Leader IT Security 403.508.1381 joost.houwen@ca.gt.com
Agenda • Fundamentals of Enterprise Risk Management • Criteria of a Strong Risk Culture • Practical ERM process • Project Risk Management - Examples • Summary and Question Period
What is risk management “Enterprise risk management is aprocess, effected by an entity’s board of directors, management and other personnel, applied in strategy settingand across the enterprise, designed to identify potential events that may affect the entity, and manage riskto be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework, 2004
What it really means • Risk exists with all organizations and is an inevitable by–product of “doing business”. Successful businesses take prudent risks • Some degree of risk is unavoidable and acceptable • If not properly identified and managed, risk can threaten, maybe prevent the achievement of goals and objectives
Some key benefits • Greater efficiency of operations and profitability • More effective processes • Improved decision making, especially with respect to setting corporate strategy • Improved corporate governance • Reduced risk exposure in key areas • Better understanding of risk/reward or risk/opportunity
How to ensure your ERM program will fail Communicate the value of ERM in complex and difficult to understand terms Define risk differently within different departments and divisions Implement the program without top-level support Try to manage all risk on an ongoing basis Consider only net risk rather than gross (inherent) Ignore the need for a strong risk culture
Project management risks examplesInformation Technology • Information technology (IT) projects both large and small remain a challenge to deliver successfully • Larger projects tend to have a greater likelihood of failure or at least significant scope/cost ‘creep’ • Typical risks associated with IT projects include: • Project management related risks (e.g. budget, schedule, staff) • User impact (e.g. lack of training) • Data loss (e.g. vendor/system unreliability) • Often root causes tend to relate from lack of governance and unclear business outcomes
Project management risks examplesConstruction Controls • Construction related projects are typically away from daily view, such as remote sites, but involve many individuals and third parties • Some examples of construction project related risks are: • Safety and environmental risks • Cost management and inefficiency risks • Potential of fraud from internal parties or third parties • Project related risks (e.g. budget, schedule, staff)
Criteria of a strong risk culture"individual and group behavior within an organization that determines the way the company identifies, understands, discusses and acts on the risks" • Owned by company leadership (action and words) • Well defined and understood risk appetite • Roles and responsibilities defined in context of risk • A supported focus on risk appropriate decision making (process over results) • Risk mitigation applied timely and consistently • Formal documentation and reporting of risk activity • Clearly understood approach to risk management
Conclusion Questions? Thank you Shane Troyer, CPA, CIA, CFE, CISSP Principal Operational Advisory 403.508.1370 shane.troyer@ca.gt.com JoostHouwen, CISA, CISSP, PCI QSA Western Canada Practice Leader IT Security 403.508.1381 joost.houwen@ca.gt.com