1 / 16

Enterprise Risk Management at the College of William and Mary

Enterprise Risk Management at the College of William and Mary. Courtney Carpenter (in absentia) Chief Information Officer Pete Kellogg Director, Information Security and Project Management. Agenda. ERM Program evolution Governance and Organizational Structure Inputs to ERM at WM

yamal
Download Presentation

Enterprise Risk Management at the College of William and Mary

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Risk Managementat the College of William and Mary Courtney Carpenter (in absentia) Chief Information Officer Pete Kellogg Director, Information Security and Project Management

  2. Agenda • ERM Program evolution • Governance and Organizational Structure • Inputs to ERM at WM • Process and model • Pilot results • College IT risk assessment results • Enterprise Level Risks • College-wide implementation • Lessons learned and future challenges

  3. Program Evolution • 2006 Higher Education Restructuring Act • College drafts policy to align IS program with ISO27005 • 2007 Provost led College-wide Risk Management Effort • New President and Provost • 2008 Enterprise Risk Management Committee formed • Chaired by VP of Administration and includes Provost, VP of Finance, Internal Auditor, CIO, Vice Provost for Research, VP for Facilities Management\ • Meets monthly

  4. Governance and Organizational Structure • Risk Management Policy • Risk Management Policy approved by College President granting authority for the RMC to direct College units in an Enterprise Risk Management initiative • Meets monthly to review progress and provide direction for program • Risk Management Subcommittee • Charged with developing a RM process and model for conducting risk assessments and risk treatment plans in a consistent manner across the institution • Delegated authority to require units to participate

  5. Inputs to ERM at WM • ISO/IEC Information Security Risk Management Standard • Shift to Enterprise Risk Management • University Risk Management and Insurance Association (URMIA) • Enterprise Risk Management in Higher Education conference • University of California • Penn State University • New York University

  6. Risk Assessment Process • Risk Management Phases • Risk Assessment • Risk identification • Risk analysis • Risk treatment planning • Review of progress and re-assessment • Challenges • How do we implement an enterprise risk management program consistently across College units? • How do we ensure meaningfulresults that can be acted upon?

  7. Risk Assessment Process • What is a risk? • The ISO/IEC definition of an IS risk is ‘the potential that a given threat will exploit vulnerabilities…’ • Risk (noun): A situation involving exposure to danger. • At the College, a risk is defined as a failure of a business process. The failure is distinct both from the event or action that could cause such failure (the “cause”), and from the effects (the “consequences”) of the failure.

  8. Risk Assessment Process • Step 1: Identify business processes and potential process failures (risks) • Review with subcommittee • Step 2: Identify potential causes and consequences of the failures and document any existing controls • Review with subcommittee • Step 3: Assign ratings (1 – 5) for severity, probability, and strength of existing controls • Subcommittee review and calculation of risk prioritization number (severity * probability * control rating)

  9. Risk Assessment Model

  10. Risk Treatment Plans • Step 4: Develop treatment plans for priority risks • Treatment plan categorizations: • Plans that can be implemented with no additional support • Plans that require additional resources • Plans that require inter-departmental support • RMC response memo • Directs unit on which treatment plans to implement • Directs unit on how to request new resources

  11. Pilot Results • Registrar’s Office • 10 processes • 34 risks • 5 priority risks (rpn > 30) • Full year to complete • Athletics Department • 8 sub-units • 44 processes • > 100 risks • 24 priority risks (rpn> 30) • 8 months to complete

  12. Results of IT Risk Assessment • Approximately 40 business processes identified • Many repeating risks, causes, and consequences across business processes • Priority risks of the department are • Loss or theft of sensitive data (SSNs, CC#s, FERPA data, etc…) • Loss of critical services longer than the recovery time objectives established in departmental COOPs (highest degree of variation in causes) • Support demand exceeding support capacity in academic and emerging technologies (mobile devices, cloud services, etc...) • Theft or unauthorized use of hardware and/or software • Are these results meaningful?

  13. Enterprise Level Risks (ELRs) • BOV need for immediate results • Conducted abbreviated process with RMC • What keeps you awake at night? • 24 ELRs • Safety, security, and health of campus community • Financial, regulatory, compliance • Facilities • Accreditation • Extended period of service failure

  14. College-wide Implementation • Progress to date • 2008 - 2009 • Registrar’s Office pilot • 2009 - 2010 • Athletics Department pilot • 2011 • Information Technology • Muscarelle Museum • Development • Facilities Management

  15. College-wide Implementation • Future steps • Complete 4 – 6 units per year • 3 year cycle for every unit • Critical and high risk areas first • Academic units • Research labs • Start again • Review progress toward treatment plans • Review work processes and re-assess risks/failures, causes, and consequences

  16. Lessons Learned and Challenges • Executive sponsorship and involvement • Consistent definitions and communication • Role of the subcommittee in unit RM efforts • Integration with budget and other administrative processes (COOP) • Challenges with quantification of risk attributes • There is no finish line

More Related