risk management lecture 3
TRANSCRIPT
-
7/22/2019 Risk Management Lecture 3
1/44
Lecture 3
Building an Information Risk
Management Toolkit:Practical Governance, Risk and Compliance
Dr. Barbara Endicott-Popovsky
-
7/22/2019 Risk Management Lecture 3
2/44
QUICK REVIEW
Terminology
-
7/22/2019 Risk Management Lecture 3
3/44
Todays organizations
are concerned about GRC:
Governance
(Enterprise) Risk Management Compliance
-
7/22/2019 Risk Management Lecture 3
4/44
What is GRC?
Risk
Compliance
Governance
Processes, Systems and Controls by which
organizations defend the int
erests of the
stakeholders.
e.g. IFRS, COSO, OECD,
Clause 49
Possibility of loss or injury created by an
external entity or by a person.
Concept of acting in accordance with established laws,
regulations, protocols, standards and specifications.
E.g. SoX, HIPAA, FCPA
Operational Risk
Credit Risk
Market RiskX
X
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
5/44
GRC Components
GRC Application Controls
Transaction
Monitoring
SOD & Access Application
Configuration
Reporting AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
Audit
Management
Assessment
GRC Infrastructure Controls
Change
Mgmt
Digital
Rights
Data
Security
Identity
MgmtRecords
Mgmt
Issue &
Remediation
Event & Loss
Mgmt
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
6/44
Governance, Risk Management and
Compliance Governance
Overall management approach thru which senior executives direct/controlthe entire organization, uses a combination of management information and
hierarchical management control structures.
Risk management
Set of processes thru which management identifies, analyzes, and responds
appropriately to risks that might adversely affect realization of the
organization's business objectives.
Compliance
Conforming with stated requirements. At an organizational level, it is
achieved through management processes which identify the applicablerequirements (defined for example in laws, regulations, contracts, strategies
and policies), assess the state of compliance, assess the risks and potential
costs of non-compliance against the projected expenses to achieve
compliance, and hence prioritize, fund and initiate any corrective actions
deemed necessary.
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
7/44
GRC Eco-System
GRC is the integration of:
Governance
Risk Management
Compliance Management
Ethics Management
Performance Management
Internal Controls
Information Assurance
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
8/44
Risk ManagementPolicy
Management
Compliance
Management
Corporate
Governance
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
9/44
Risk Management
Definitions and Terms
Purpose of Risk
Management
Managing the Upside and
Downside of Business RM Framework
Measuring Risk
Risk Assessment Approach
Risk Calculations Risk Reporting
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
10/44
Definitions and Terms
Risk (n) Undesirable effect of uncertainty on achieving business objectives
Risk (v)
To put something in a state where it may encounter undesirable effects on
achieving objectives due to uncertainty.
Risk Management System or Framework A system that addresses risk and reward
Risk Management Process Process that establishes context and communicates with stakeholders about, risk
management; and identifies, analyzes, prioritizes, treats, and monitors whileaddressing reward.
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
11/44
Risk is like a fire: If controlled it will helpyou; if uncontrolled it will rise up and
destroy you.
Theodore Roosevelt
The purpose of risk management is to
change the future, not to explain thepastThe Book of Risk, Dan Borge
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
12/44
Purpose and Objectives of RiskManagement
To gain a comprehensive view of the significant financial,strategic, compliance, and operational risks across anorganization or entity.
To build a sustainable process within the business to
continually Assess, Improve, and Monitor the significant risksto achieving organizational objectives.
Optimal use of resources through risk-based decision making Cost-effective investments in defensive measures
Proper focus on issues of highest concern
To assist the business in realizing opportunities through abroader understanding of the risks they face.
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
13/44
All too confusing andoverdone Except when we
get in trouble
Must do it
But how do we do it better?
Keep Us Out of Trouble Make Our Business Better
goal
Growing Numberof Restatements
StifferSanctions
CatastrophicReputational
Consequences
Bigger Fines andSettlements
CriminalIndictments
Effective Use ofTechnology
CoordinatedRisk Activities
ExpandingRegulation
EnhancedBusiness
Processes
Reduced Total
Risk Spend
Better ProductOfferings
ImprovedCommunications
and Disclosure
Managing Upside and Downside
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
14/44
Corporate Risk Dimensions
Risks can be identified at various levels of an
organization called dimensions.
For instance technology risks can be grouped
into the following five risk dimensions:
Organizational Risks Functional Risks
Process & Technology Risks
Data Risks
External/Environmental Risks
Organizational
Functional
Data
Process & Technology
External & Environmental
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
15/44
Risk Calculations
Inherent Risk = Inherent Likelihood *
Inherent Impact
Residual Risk = Residual Likelihood *
Residual Impact
Inherent Risk = Threat Likelihood xMagnitude of Impact
15 Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
16/44
Impact Criteria
Score RatingOperating
Income
Impact on Value
(EPSImpact onAnnual Guidance)
Description of Impact
Duration
Organizationaland operational
scope
Reputational impacton stakeholders (i.e.,
customers,shareholders, and
employees)Legal/ Compliance/
Environmental Impact
5 Critical>11%
>$2.5B
Significant reduction inmarket capitalization,
significant draw onliquidity reserve
(EPS >$0.25 )
SignificantRecovery
Period
Enterprise-wide:Inability to continuebusiness operations
Globally
Permanent loss ofstakeholder confidenceresulting in legal action,interruption in Enterpriseoperations globally, and
/ or defection tocompetition
Global restrictions onconducting business incertain product lines,
markets, or geographies.
4 High>4.4%
>$1.0B
Substantial reductionin market
capitalization,substantial draw on
liquidity reserve
(EPS > $0.10)
Recoverablein the LongTerm (i.e.,
24-36months)
2 or moredivisions:
Significant, ongoinginterruptions to
business operationswithin 2 or more
divisions
Sustained losses in 2 ormore stakeholder groups
Prohibited from conductingbusiness in certain product
lines, markets, orgeographies.
3 Moderate> 2.2%
>$500M
Limited reduction inmarket capitalization,
limited draw onoperating cash flow
(EPS $0.05)
Recoverablein the ShortTerm (i.e.,
12-24months)
1 or moredivision(s):
Moderate impactwithin 1 or more
division(s)
Moderate loss in 1 ormore stakeholder groups
Significant fines orlimitations on conducting
business in certain productlines, markets, or
geographies.
2 Low>1.10%
>$250M
Missed forecast(s)and/or budget(s),limited draw on
operating cash flow
(EPS $0.025)
Temporary(i.e., lessthan 12months)
1 division:
Limited impactwithin 1 division
Limited to minor/short-term loss in 1
stakeholder group
Limited actions against thecompany with limited effects
on operations.
1 Minimal> 0.50%
>$100M(EPS $0.01) Minimal Impact
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
17/44
Score Rating Consideration Probability Frequency
5 Expected
The risk event orcircumstance is relativelycertain to occur, or has
occurred within the pastyear
90-100% Almost Yearly
4 Highly LikelyThe risk event or
circumstance is highly likelyto occur
70-90% Every 2 to 3 Years
3 LikelyThe risk event or
circumstance is more likelyto occur than not
50-70% Every 4 to 6 Years
2 Not LikelyThe risk event or
circumstance occurring ispossible
10-50% Every 7 to 9 Years
1 SlightThe risk event or
circumstance is onlyremotely probable
< 10%Every 10 Years and
Beyond
Likelihood Criteria
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
18/44
Management Activity/Control LevelCriteria
Score Rating Action Description
5 Very High Effective
Controls and/or Management Activities properly designedand operating as intended, no defined opportunities forimprovement. There are no outstanding High or Medium riskaudit issues, no material weaknesses or significantdeficiencies as defined by SOX or the external auditors.
4 HighLimited Improvement
Opportunity
Controls and/or Management Activities properly designedand operating, with limited opportunities for improvementidentified. There are no outstanding High risk audit issues,no material weaknesses or significant deficiencies as defined
by SOX or the external auditors.
3 ModerateModerate Improvement
Opportunity
Key controls and/or Management Activities in place, withmoderate opportunities for improvement identified. Thereare no outstanding High risk audit issues. There may besome significant deficiencies as defined by SOX or theexternal auditors.
2 LowSignificant
ImprovementOpportunity
Limited controls and/or Management activities in place, highlevel of risk remains, significant opportunity for improvementidentified. There are outstanding High and / or Medium riskAudit issues or significant deficiencies as defined by SOX orthe external auditors.
1 Very LowCritical Improvement
Opportunity
Controls and/or Management Activities are non-existent orhave major deficiencies and dont operate as intended,
critical opportunity for improvement identified. There areoutstanding High risk audit issues or material weakness(es) asdefined by SOX or the external auditors.
NOTE: When evaluating the Management/Control Level for a particular risk event or circumstance, make the evaluation based on the existing management activities and/or
controls that exist both within defined business processes as well as at the entity level. The table provides guidance for choosing a score of 1 through 5.
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
19/44
Measuring Risk - Risk Map
Medium risk (high impact, low/ medium
likelihood)
Seek ways to reduce the impact of the
risk, should it occur
Investigate further to confirm
likelihood is not higher than believed
Assess processes and controls to
ensure risk will not worsen
High Risk (high impact, high likelihood)
Seek risk responses: avoid, transfer/share,
mitigate/reduce, accept
Remediate items causing the risk
Investigate the risk further to gain better
insight on how to respond
Risks falling at or near the risk tolerance level Accept the risk, since it is at/near tolerance
level Seek ways to reduce the likelihood or
impact of the risk
Assess processes/controls to ensure risk
will not worsen
Low risk (low impact, low likelihood)
Monitor the risk periodically to confirm it
has not increased
Medium risk (low/medium impact,
high likelihood)
Seek ways to reduce the likelihood of the risk
occurring
Investigate further to confirm that impact is not
higher than believed
Assess processes and controls to ensure risk
will not worsen
Risks falling at or near the risk tolerance levelAccept the risk, since it is at/near tolerance levelSeek ways to reduce the likelihood or impact of the riskAssess processes/controls to ensure risk will not worsen
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
20/44
Risk Levels and Impact of Risk TreatmentRepresentative Sample
# Tier 1 Risks
1 Privacy / Security of Crit Data
2 Business Continuity Mgmt
3 Corruption
4 Product Quality
5Financial Guidance and MktExpectations
6 HW Quality and Compliance
7 Taxation of Foreign Earnings
8 Credit and Collections
9 Y!
10 Data Management
AlmostCertain
LikelyPossibleUnlikelyRemote
54321
1Mild
2Moderate
3Serious
4Severe
5Catastrophic 1 24
3
7
6
9
8
5
10
Likelihood of Occurrence
SeverityofIm
pact
Inherent Risk
Residual Risk
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
21/44
Risk Responses
Avoid:Choosing not to participate in the activity that is associatedwith or causing the risk.
Transfer/share:Engaging another party to accept all or part of therisk. This can be through insurance, outsourcing risky tasks orentering into business arrangements/agreements whereby risk is
shared across parties or reassigned to the other party. Mitigate/reduce: Decrease the level of risk by either reducing the
probability that the risk might occur, or by taking measures that willcause the impact to be lessened should the risk occur.
Accept: Acknowledge the risk and choose to do nothing, thereby
accepting any potential impacts and consequences.
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
22/44
Risk Assessment Methodologies
National Institute of Standards & Technology
(NIST) Methodology
ISO 31000
OCTAVE
COSO ERM
FRAP
Risk Watch
22 Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
23/44
Established Governance and RiskManagement methodologies
23
COSO
Enterprise Risk ManagementControl Objectives for Information and related
Technology
Companies often adopt a hybrid
McCumber cube - evaluating information
assurance programs
Maclear LLC, 2012
http://en.wikipedia.org/wiki/File:Mccumber.jpghttp://www.itil-officialsite.com/home/home.asp -
7/22/2019 Risk Management Lecture 3
24/44
Risk Assessment Approach
Planning and Scoping
Business risk scenarios
Risk Universe
Assessment Risks and Controls
Management Recommendations
Action planning and execution Action tracking and reporting
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
25/44
Business Model:Vision & DirectionMonetization ModelBrand/Marketing StrategyChannel StrategyPricing StrategyCompetitive PositioningValue Chain StrategyMeasurement & Monitoring
Strategic Investments:M&APartner Alliance
Ecosystem InvestmentsR&D Investments
Market Dynamics:General Macro EnvironmentSocial-PoliticalTechnology ChangesTalent AcquisitionCustomer DemandConsumer LifestyleUGC/SharingUse of Mobile vs. PCPiracy
Business Model Disruptions:"Thin" Client ServicesOpen SourceAd-FundedVirtualizationOEM DisruptionChannel AlienationImportance of S/W H/W Coupling
Product Development:Product StrategySoftware DevelopmentProduct Development PartnersProduct Quality/IntegrityProduct SecurityProduct Release3rd Party Subsystems orFunctionality Integration
Sales & Marketing:Research and DevelopmentMarketing
AdvertisingProduct PricingSales and Marketing - PartnerManagementSales Contracting/Customer PricingOrder ManagementPublic Relations
Services:Consulting ServicesCustomer SupportService PartnersCustomer Operations
Supply Chain:Manufacturing Planning andForecasting/Product AvailabilityVendors/Partners/Contract ExecutionProcurementProductionInventory & Capacity ManagementDistribution ChannelsProduct Licensing/SubscriptionsProduct ComplianceSoftware Piracy
Corporate Governance:Board PerformanceGovernance FrameworkCorporate Citizenship
Legal Compliance:Ethics and Business ConductAnti-CorruptionFraud
Legal:Contract
IP/Source Code ProtectionIP InfringementPiracy/Counterfeiting
Regulatory:Antitrust and CompetitionLawExport Control and GlobalTradeLabor Laws and RegulationsSecuritiesEnvironmentData Protection and PrivacyProduct Safety
Planning & Resource Allocation:Operational and BusinessPlanningBudgeting and ForecastingCapital Expenditure PlanningOutsourcing
Treasury:Cash ManagementHedgingInvestingInsuringFunding
Credit and CollectionsSecurities LendingFinancial Reporting:GAAP AccountingExternal Reporting & DisclosureInternal Control/SOX 404/302Statutory ReportingInternal ReportingInformation & Reporting Integrity
Tax:Tax Strategy and PlanningTax OptimizationTransfer PricingProperty TaxesTax ComplianceInvestor Relations:Communications
Mergers, Acquisitions &Divestitures:Accounting for Mergers,Acquisitions & DivestituresInternal Audit:
People:CultureRecruiting & RetentionGlobal ResourcingDevelopment andPerformanceSuccession PlanningCompensation & BenefitsLabor RelationsEmployee CommunicationsOrganizational Structure
Information Technology:Infrastructure Resiliency andAvailabilityData PrivacyData Management, Integrityand QualityInfrastructure SecurityInformation System AccessIT Governance
Business Continuity:Natural EventsInformation TechnologyRecovery
Business Process RecoveryCrisis ManagementMan Made Events
Corporate Physical Security:Buildings and FacilitiesThreats of ViolenceIncidents of TheftLife Safety
StrategicFinancial/Reporting
OperationsLegal/
Compliance
ERM Risk Universe
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
26/44
Risk ReportingRisk Maps
ImproveAreas of high risk exposure with a low level of controlmust be key priority for improvements in managementand control activities.
MonitorAreas of high risk exposure where controls are deemedadequate should be monitored to provide ongoingassurance of control effectiveness.
AcceptAreas of low risk exposure that also have a lower levelof control may be consciously accepted by the
organization.
OptimizeAreas of low risk exposure with a high level of controlmay generate opportunities to optimize themanagement and control activities.
Accept
Improve
Optimize
Monitor
High
Low
Low HighManagement/Control Activity
Level
Risk
Exposure
(ImpactxLikelihoo
d)
Risk MapsThe Risk Map displays individual unit risks in relation to each other
based on the Impact and Likelihood assessment
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
27/44
Risk Management
Recap
Definitions and Terms
Purpose of Risk Management
Managing the Upside and
Downside of Business
RM Framework Measuring Risk
Risk Assessment Approach
Risk Calculations
Risk Reporting
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
28/44
Risk ManagementPolicy
Management
Compliance
Management
Corporate
Governance
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
29/44
Policy Management
Regulations and Corporate
Policies
Policies, Standards and
Guidelines
Policy ManagementLifecycle
Policy Compliance
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
30/44
Policy as Extension of the Rule of Law
Legal System
Corporate Boundary
Policy
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
31/44
Policy Management Lifecycle
1. Environment Changes
Consider corporate, risk andregulatory environments
2. Policy Development
Consider Ownership, Writingand Approval processes
3. Policy Communication
Consider publication,Training and Attestation
4. Policy Monitoring
Consider Enforcement andException management
5. Policy Maintenance
Consider Review andArchival processes
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
32/44
Promote Communicate the business value of compliance Communicate how we help achieve compliance value
Enable
Deliver and support the processes and tools that enable compliance
Prepare and support the people who are accountable for compliance
Monitor
Monitor compliance processes and tools
Measure the effectiveness of compliance, including processes and tools
Report
Report on the enterprise health of compliance
Provide business group reporting to management
Policy
Deployment
Compliance
Management
32
Policy Compliance
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
33/44
Policy Management
Recap Regulations and
Corporate Policies
Policies, Standards andGuidelines
Policy Management
Lifecycle
Policy Compliance
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
34/44
Risk
Management
Policy
Management
Compliance
Management
Corporate
Governance Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
35/44
Compliance
Complying with Internal
and External Factors
Stakeholder challenges and
expectations
Emerging complianceissues
Compliance Risk Universe
Corporate Compliance
Framework
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
36/44
What are we hearing about complianceTraditional mindset driven by internal and external factors
goal
ExecutiveRemovals
StifferSanctions
CatastrophicReputational
Consequences(Personal and
Corporate)
Bigger Fines andSettlements
CriminalIndictments
EXTERNAL FACTORSINTERNAL FACTORS
International Mandates andVoluntary Codes
Legal/RegulatoryRequirements
Stock Exchange Listing RulesStakeholder ExpectationsRatings AgenciesPublic/Political Pressure
Transactions / M&AGlobal market expansionOutsourcingNew product launchesOverlapping complianceresponsibilities
Keep Us Out of Trouble
Potential Impacts of Non-Compliance
Maclear LLC, 2012
k h ld
-
7/22/2019 Risk Management Lecture 3
37/44
Increasing Stakeholder Expectations
CEO ViewpointBoard Viewpoint Investor Viewpoint
Source: The Conference Board, June 2005Source: Ernst & Young Audit Committee Perspectives, 2007 Source: Ernst & Young Global, August 2005
Boards identify compliance as the
most significant risk in 2007.
Legal risk is the highest rated area in
which CEOs wont tolerate risk.
Investors expect transparent compliance
risk management strategies.
Major Initiatives
Regulatory
M&A/Divestitures
IT
Market Dynamics
People/HR
Legal
Financial
Operating
Strategic
Compliance
Insolvency
Competitive
Reputational
Security
Technology
Maclear LLC, 2012
i d i
-
7/22/2019 Risk Management Lecture 3
38/44
Emerging Issues and Questions
How are leadingcompanies
defining compliance?
identifying their more significant compliance risks
and emerging (frontier) issues?
preventing and detecting non-compliance?
monitoring and measuring the effectiveness of their
compliance function?
aligning and coordinating compliance and risk
management activities? Embedding compliance into
the business?
leveraging their compliance investments to provide
benefit within their business units?
.defining a successful compliance function and
assigning ownership for its success? Maclear LLC, 2012
C t C li F
-
7/22/2019 Risk Management Lecture 3
39/44
Corporate Compliance Framewor
ISO/IEC 27001:2005 certification
Statement of Auditing Standard 70 type II attestation
Certification and Attestations
Predictable Audit ScheduleTest effectiveness and assess risk
Attain certifications andattestations
Improve and optimizeExamine root cause of non-compliance
Track until fully remediated
Controls FrameworkIdentify and integrate
Regulatory requirements
Customer requirements
Assess and remediateEliminate or mitigate gaps incontrol design
Payment card industry data security standard
Health insurance portability and accountability act
Industry Standards and Regulations
FISMA (NIST 800-53 r3)
Sarbanes-Oxley, privacy laws, etc.
PCI DSS certification
FISMA certification andaccreditation
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
40/44
Compliance Process
Maclear LLC, 2012
R i li d R i
-
7/22/2019 Risk Management Lecture 3
41/44
Rationalized Requirements
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
42/44
Compliance Recap
Complying with Internal
and External Factors
Stakeholder challenges and
expectations
Emerging compliance
issues
Compliance Risk Universe
Corporate Compliance
Framework
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
43/44
RiskManagement
Policy
ManagementControls &Compliance
Governance
Maclear LLC, 2012
-
7/22/2019 Risk Management Lecture 3
44/44
Governance
Corporate governance
Set of processes, customs, policies, laws, and
institutions affecting the way a corporation is
directed, administered or controlled
Information Technology Governance,
Subset of corporate governance focused on ITsystem performance and risk management.