value creation through optimising risk
DESCRIPTION
Presented by Garry Barnes to ISACA Canberra Chapter October 21stTRANSCRIPT
VALUE CREATION THROUGH OPTIMISING RISK
Garry Barnes Vice President ISACA
October 2014
BACKGROUND
ISACA:
International Vice President
Strategic Advisory Council
Credentialing and Career Management Board
CISM Certification Committees
Sydney Chapter 2003-2012 (President 2008-10)
Security, Governance, Risk and Audit:
Managing Consultant, BAE Systems
Risk Manager & Information Security Consultant, Commonwealth Bank of Australia
Information Security Manager & IT Audit Manager, NSW Departments of Education & Commerce
CISA CISM CGEIT CRISC MAICD
COMMON APPROACHES
3 | 22/10/2014
Risk = Threats x assets x vulnerabilities
Risk: the likelihood that a loss will occur.
RISK MANAGEMENT AT LOW PERFORMING ORGANISATIONS
✗ Is used primarily for compliance:
✗ Supporting compliance reporting ✗ Identifying and assessing
controls to minimise breaches
✗ Is constrained by internal organisational boundaries ✗ Is reactive:
✗ An additional and separate step in decision making ✗ Identified risks viewed as poor
performance
✗ Static view of risk: ✗ Ignoring changing business
requirements ✗ Once a year risk
assessment
✗ Ineffective risk monitoring: ✗ Inaccurate measurement of
actual risk levels ✗ No enterprise-wide view
provided by risk aggregation
✗ Wrong accountability model: ✗ Risk Managers (or Owners)
vs Risk Facilitators (or Function)
RISK MANAGEMENT AT TOP PERFORMING ORGANISATIONS
ü Is closely linked with strategy: ü Risk with new products and
services, Mergers and Acquisitions, etc.
ü Is a proactive and consistent: ü Risk information is available
to support strategic, change and operational decisions
ü Integrates Enterprise and IT risk:
ü Common language ü Aggregation of risks
ü Links with business outcomes:
ü Creates awareness and understanding of risk policy
ü Risk Appetite Statement provides a reference point leading to better business decisions
The Governance Objective:
“Value creation means realising benefits at an optimal resource cost while optimising risk”
COBIT 5 – “RISK OPTIMISATION”
NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
7 | 22/10/2014
COBIT 5 FOR RISK – “DUALITY OF RISK”
8 | 22/10/2014
Do things well and preserve or gain value
Do things badly and lose or fail to gain value
NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
9 | 22/10/2014
ADDRESSING TWO PERSPECTIVES ON RISK
10 | 22/10/2014
RISK FUNCTION CAPABILITIES
11 | 22/10/2014
Risk governance e.g. 3LoD
Risk culture & behaviours
Risk training Risk systems
Risk methodology
Risk principles, policy
Risk accountability
Risk criteria
Risk intelligence
RISK MANAGEMENT CAPABILITIES
12 | 22/10/2014
Risk planning
Risk monitoring
Risk methodology
CORE AND SUPPORTING RISK PROCESSES
Core risk processes
Key supporting processes
CORE RISK PROCESSES
Governance process: EDM03 – Ensure risk optimisation:
This process covers the understanding, articulation and communication of the enterprise risk appetite and tolerance and ensures identification and management of risk to the enterprise value that is related to IT use and its impact.
• Define and communicate risk thresholds
• Make sure key IT-related risk is known
• Ensure risk does not exceed appetite
CORE RISK PROCESSES
Management process: APO12 – Manage risk:
This process covers the continuous identification, assessment and reduction of IT-related risk within levels of tolerance set by enterprise executive management.
• Collect appropriate data and analyse risk
• Maintain risk profile and articulate risk
• Define action plan and respond
NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
16 | 22/10/2014
RISK SCENARIOS
Common risk identification challenges:
• Volume of identifiable risks
• Generic risk descriptions – misalignment with business
• Process and control failure risks – incidents!
• Over specification of risk detail
• Repetition of risk across BU’s
17 | 22/10/2014
RISK SCENARIOS
18 | 22/10/2014
NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
19 | 22/10/2014
ISO 31000: Amount and type of risk that an organisation is willing to pursue or retain COBIT 5 for Risk The broad-based amount of risk in different aspects that an enterprise is willing to accept in pursuit of its mission (or vision).
“Acceptable Level of Risk”
WHAT IS RISK APPETITE?
Risk Appetite
Design
Construct
Implement
Govern
DESIGNING RISK APPETITE
Risk Appetite and Risk Tolerance Consultation paper Institute of Risk Management May 2011 – Figure 1 Used with permission
Risk Appetite
Design
Construct
Implement
Govern
DESIGNING RISK APPETITE
Business risk context Risk capacity and capability Risk philosophy Risk outcomes
Policy often preceded Risk Appetite Statements:
• Legacy effect of historic policy positions
• Enterprise-wide policies lack granularity for local risk/reward decisions
• Tightening of policies after incidents
Codes of Conduct:
• Great place to start when developing a Risk Appetite Statement
• Language the Board and Executives understand
• Often covers some key areas of risk – expectations, compliance
POOR POLICIES INHIBIT OPTIMISING RISK
Risk Appetite
Design
Construct
Implement
Govern
CONSTRUCTING RISK APPETITE
Risk domains Risk appetite statements Risk metrics (KRIs) Risk tolerances
DETAILED RISK APPETITE STATEMENTS
Very Low
• Avoid exposures • Ensure awareness and operation of controls • Assurance of KPIs and KRIs
Low
• Minimise risk exposures • Provide awareness and operation of controls • Monitor and report KPIs and KRIs
Moderate • Allow local decisions for risk/reward, cost/benefit • Use timely risk information to drive risk response
High
• Seek strategic opportunities • Manage risk and return • Communicate expectations and outcomes
e.g. compliance risk
e.g. operational risk
e.g. program risk
e.g. investment risk
Risk tolerance levels are tolerable deviations from the level set by the risk appetite definitions
RISK TOLERANCE
Risk Appetite and Risk Tolerance Consultation Paper Institute of Risk Management 2011 Used with permission
Risk Appetite
Design
Construct
Implement
Govern
IMPLEMENTING RISK APPETITE
Communicate & train Risk calendar
Risk tools Measure against KRIs
IMPLEMENTING RISK APPETITE
Communicate
Inform key stakeholders: • Directors, Executives,
Business and Operations Managers
Clarify accountability between risk function and risk management roles
Provide tools and guidance
Enable active use of the risk appetite statements in daily business operations Deploy Risk Function as support for risk processes
Monitor
Monitor operational metrics and Key Risk Indicators Perform meaningful risk aggregation Provide and relevant timely reporting
Review
Conduct periodic reviews (stress tests) Use risk assessments, operational metrics and incident data to refine risk appetite and processes
GOVERNING RISK APPETITE
Risk Appetite
Design
Construct
Implement
Govern
Assess and act on metrics
Monitor risk profile Monitor business change
Risk Appetite
Design
Construct
Implement
Govern
RE-DESIGNING RISK APPETITE
Revise as required Communicate
Refine policies, etc.
Risk Appetite
Design
Construct
Implement
Govern
SUMMARY: DESIGNING RISK APPETITE
Business risk context Risk capacity and capability Risk philosophy Risk outcomes
Revise as required Communicate
Refine policies, etc.
Assess and act on metrics
Monitor risk profile Monitor business change
Risk domains Risk appetite statements Risk metrics (KRIs) Risk tolerances
Communicate & train Risk calendar
Risk tools Measure against KRIs
EXPLORING THE CHALLENGES – OBTAINING VALUE
32 | 22/10/2014
Risk and opportunity
Risk scenarios
Risk appetite
Risk capability
“The best risk management is about managing risk to business performance against specific outcomes or objectives.” Excerpt From: Brian Barnier “The Operational Risk Handbook for Financial Companies: A guide to the new world of performance-oriented operational risk.”
Context – Scenarios, outcomes, framework, appetite, KRIs (i.e. risk function and risk management enablers) must be relevant to the risk context of the business
Consistency – Develop risk appetite and scenarios and then identify granular but consistent appetites for risks across the business in business language
Completeness – Address all key risk domains across the business chain and aggregate sensibly
Culture – Align capability and appetite with risk maturity and desired risk culture
Cooperation – Encourage proactive behaviours and guidance on management of risk and risk appetite
Current – Monitor for change using risk information and refine responses as required
CHARACTERISTICS FOR RISK OPTIMISATION
The Governance Objective:
“Value creation means realising benefits at an optimal resource cost while optimising risk”
COBIT 5 – “RISK OPTIMISATION”
QUESTIONS?
35 | 22/10/2014