1 / 11

Building a Corporate Risk Culture

Building a Corporate Risk Culture. Shane Troyer, CPA, CIA, CFE, CISSP Principal Operational Advisory 403.508.1370 shane.troyer@ca.gt.com. Joost Houwen , CISA, CISSP, PCI QSA Western Canada Practice Leader IT Security 403.508.1381 joost.houwen@ca.gt.com. Agenda.

tasya
Download Presentation

Building a Corporate Risk Culture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a Corporate Risk Culture Shane Troyer, CPA, CIA, CFE, CISSP Principal Operational Advisory 403.508.1370 shane.troyer@ca.gt.com JoostHouwen, CISA, CISSP, PCI QSA Western Canada Practice Leader IT Security 403.508.1381 joost.houwen@ca.gt.com

  2. Agenda • Fundamentals of Enterprise Risk Management • Criteria of a Strong Risk Culture • Practical ERM process • Project Risk Management - Examples • Summary and Question Period

  3. What is risk management “Enterprise risk management is aprocess, effected by an entity’s board of directors, management and other personnel, applied in strategy settingand across the enterprise, designed to identify potential events that may affect the entity, and manage riskto be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework, 2004

  4. What it really means • Risk exists with all organizations and is an inevitable by–product of “doing business”. Successful businesses take prudent risks • Some degree of risk is unavoidable and acceptable • If not properly identified and managed, risk can threaten, maybe prevent the achievement of goals and objectives

  5. ERM framework

  6. Some key benefits • Greater efficiency of operations and profitability • More effective processes • Improved decision making, especially with respect to setting corporate strategy • Improved corporate governance • Reduced risk exposure in key areas • Better understanding of risk/reward or risk/opportunity

  7. How to ensure your ERM program will fail Communicate the value of ERM in complex and difficult to understand terms Define risk differently within different departments and divisions Implement the program without top-level support Try to manage all risk on an ongoing basis Consider only net risk rather than gross (inherent) Ignore the need for a strong risk culture

  8. Project management risks examplesInformation Technology • Information technology (IT) projects both large and small remain a challenge to deliver successfully • Larger projects tend to have a greater likelihood of failure or at least significant scope/cost ‘creep’ • Typical risks associated with IT projects include: • Project management related risks (e.g. budget, schedule, staff) • User impact (e.g. lack of training) • Data loss (e.g. vendor/system unreliability) • Often root causes tend to relate from lack of governance and unclear business outcomes

  9. Project management risks examplesConstruction Controls • Construction related projects are typically away from daily view, such as remote sites, but involve many individuals and third parties • Some examples of construction project related risks are: • Safety and environmental risks • Cost management and inefficiency risks • Potential of fraud from internal parties or third parties • Project related risks (e.g. budget, schedule, staff)

  10. Criteria of a strong risk culture"individual and group behavior within an organization that determines the way the company identifies, understands, discusses and acts on the risks" • Owned by company leadership (action and words) • Well defined and understood risk appetite • Roles and responsibilities defined in context of risk • A supported focus on risk appropriate decision making (process over results) • Risk mitigation applied timely and consistently • Formal documentation and reporting of risk activity • Clearly understood approach to risk management

  11. Conclusion Questions? Thank you Shane Troyer, CPA, CIA, CFE, CISSP Principal Operational Advisory 403.508.1370 shane.troyer@ca.gt.com JoostHouwen, CISA, CISSP, PCI QSA Western Canada Practice Leader IT Security 403.508.1381 joost.houwen@ca.gt.com

More Related