enable federated risk assessments and yet get an integrated … · 2019. 6. 20. · perform with...

PERFORM WITH INTEGRITY ™

Enable Federated Risk Assessments and yet get an Integrated Risk View

Aneesh Bhatnagar, AVP – Product Management

Jose Biscaya, Manager – CSIG

© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™

Challenges faced by Risk Professionals

• “I want to allow different Risk functions to do assessments based on appropriate frameworks”

- Chief Risk Officer

• “I want a single, integrated view of risks that might impede business performance, or jeopardize market viability”

- Board and Executive Members

• “ I want to get a consolidated view of the risks from cyber, operational, audit, third party and compliance perspectives”.

- Chief Risk Officer

• “I want to get the top down vs bottom up view of risks”- Chief Risk Officer

• “I want to get the view of risk posture by product lines”- Chief Product Officer / EVP Business


Enterprise Risk

• Objective, Business Unit

• Simple

• Usually 2 factors

• Impact and Likelihood Matrix

• Impact X Likelihood based scoring

• Controls are Overall effectiveness or Individual controls rated

• Residual

• Inherent – Control

• Inherent vs Control matrix


Operational Risk

• Mostly on Processes

• Simple to Complex

• 2 factors to many

• Impact and Likelihood

• Impacts broken down to Reputation, Financial, Strategic etc

• Impact, Likelihood, Velocity, Magnitude

• Controls rated more granular or kept high level

• Residual

• Inherent – Control

• Inherent vs Control matrix

• Aggregation is critical


Cyber Risk

• IT Asset based risks are assessed

• The Risks are identified as a derivative of IT Asset properties, Threats, Vulnerabilities and IT Controls

• Factors considered are

• Impact on Operations that are serviced by the IT Asset

• Impact on Organizational Goals

• Impact on Reputation

• Likelihood of the Risk materializing

• Frequency of the Risk materializing


Business Continuity

• The Risk Assessments are done in the context of a Location

• The tail end (high impact, low frequency) risks are assessed


• Financial Impacts

• Impact on Employees

• Impact on Assets

• Impact on Reputation

• Likelihood of the Risk materializing

• Frequency of the Risk materializing

• The mitigations are generally Business Continuity Plans


Third Party Risk

• Third Party / Vendors


• Nature of Third Party

• Critical business processes serviced by the third party

• External Rating – Dow Jones

• Mitigation plans are to have backup / alternate third parties lined up. Or distribute the product / service procurement across multiple third parties


Compliance Risk

• Assessments pertaining to risks related to regulations

• Mostly simple based on Impact and Likelihood

• Control ratings are simple too

• Residual is either a matrix of Inherent and Control or Inherent minus Control.


Audit

• Auditable Entities

• Mostly Single Risk Rating or based on Impact and Likelihood

• Usually a single rating is sufficient

• Aggregation is critical to do a risk based audit


And, many

others…


How do we do this?

• Federated Risk Assessments

• Consolidated Risk Reporting

• Comparative Reporting


Perspective enables…

• Enterprise Risk, Cyber Risk, Operational Risk, Third Party, Compliance, Audit etc do assessments as they like

• Same Risk function having multiple assessment methodologies

• Risk Assessment based on Objectives, Products, Assets, Regulations and many others…

• Top Down and Bottom Up Risk Assessment


The most flexibleassessment framework…• Complies with most standards and

organization needs


Helps get risk profile from different perspectives


An Overview

of

Risk Posture

15


And, drive…

16

LIVE DEMO

Thank YouContinue the conversation on #GRCSummit
http://www.facebook.com/metricstreamhttp://www.linkedin.com/metricstreamhttp://www.twitter.com/metricstream

enable federated risk assessments and yet get an integrated … · 2019. 6. 20. · perform with...

Documents