the detroit chapter of the iia presents...making risk management sustainable integrating risk...
TRANSCRIPT
The Detroit Chapter of the IIAPresents
LOGO
By Priti Sikdar (FCA, CISA, CISM, CRISC, ISO 27001 LA, BS 25999 LA, PRINCE 2(FC)
Assessing and Building a Risk Conscious Culture
If You Have Questions…
If you have questions during the webcast:
– If necessary,
exit Full Screen View
by pressing the Esc key
– Submit questions
through the
Ask a question button
Earning CPE Credit
In order to receive CPE credit for this webcast, participants must:
Attend the webcast on individual computers (one person per
computer)
Answer polling questions asked throughout the webcast
When answering polling questions, select your answer and the
click “Vote” button (next to the “Ask a Question” button) to
submit / save your answer.
CPE certificates will be sent to the e-mail address on your
BrightTALK account within two weeks of this webinar.
A) Member Detroit ChapterB) Member – Central Region District 2 (Fort Wayne, Toledo,
Michiana, W. Mich., Lansing) C) Member – Other DistrictD) Non-member
Please tell us your member status
Risk-an inevitable part of every business!
Company Logo
Risk n Return are inversely proportional
Company Logo
My risk is other’s opportunity!
Opportunity
Risk
Risk is all pervasive
Elements of organization
Risk can pervade any of the elements
Tone at top is a good determinant of risk culture
A secure risk culture can provide both stability and a competitive advantage
Company Logo
Vulnerabilities are mostly due to people
Lack of security training
Unavailability of proper job descriptions
Management do not give importance to risk evaluation activities
Surfing on unsecure websites
Lack of pre-screening for new employees
Company Logo
Risk Culture-definition
“Risk culture can be defined as individual and group behaviour within an organization that determines the way in which the company identifies, understands, discusses and acts on the risks the organization confronts and takes.”
(Source: “Reform in the Financial Services Industry : Strengthening Practices for a More Stable System .” Institute of International Finance, 2009)
Company Logo
Assess level of maturity in risk management
The level of understanding/maturity is to be considered before designing risk strategy to embed risk within the culture of the organization.
At a higher level, organizations may have their own risk frameworks or opt for risk standards like ISO 27001, ISO 31000, that define specific control objectives.
Company Logo
People determine organizational culture
The way an organization works is largely dependent on the people culture.
RISK is all pervasive and perceptions to risk differ from person to person and from organization to organization.
Organizations may choose different ways to deal with risk and this decision is a subjective decision.
Company Logo
Question Time
1) Risk is the outcome of threat exploiting a vulnerability within the organizational system-
i) True
ii) False
Company Logo
Understanding Risk
Organizations need to communicate their risk perceptions to employees
Company Logo
Management to communicate expectations
Management to communicate risk management expectations for the organization
Define roles and responsibilities around risk.
Delivering communications from leadership using a common risk management vocabulary.
Setting risk accountabilities.
Conducting general education and customized risk training programs based on employees’ roles.
Embedding risk management at induction stage.
Refining recruitment methods to include risk management capabilities.
Company Logo
Question Time
2) Risk that remains once all mitigation controls are implemented is called-
a) Business risk
b) Inherent risk
c) Residual risk
d) Strategic risk
Company Logo
Assessing and Building a Risk Conscious Culture
Board responsibility in risk
Does the board understand how innovative technologies could disrupt the organization’s business model?
Are innovative technologies and approaches being adopted that can better create value and capture greater market share for the organization?
Does the organization have a set of defined innovation KPIs linked to key growth objectives? Is regular reporting on such KPIs made?
Are innovative technologies across the industry being benchmarked?
How often do directors meetings held with business unit leaders and suppliers?
Is the Board aware of prevalent market practices? Are they aware of competitors’ practices?
Company Logo
False sense of security
Myth is risk is covered if you have insurance
Company Logo
What if you get surprises
WHAT IF insurance has expired yesterday and renewal cheque is still in office?
WHAT IF your assets are under-insured?
WHAT IF the risk is not covered by your contract?
Company Logo
Positive indicators of a healthy risk culture
Company Logo
• Commonality of purpose, values and ethics: The extent to which an
employee’s individual interests, values and ethics are aligned with the
organization’s risk strategy, appetite, tolerance and approach.
• Proper Understanding and application: Whether risk is a part of
organizational activities from strategic planning to day-to-day operations.
• A learning organization: Whether risk monitoring and correction is an
ongoing process and is moving towards continuous improvement.
• Organization is communicating their risk definition, perception and
criteria to all employees: There is constant interactive exchange on risk
related issues between departments and employees.
Why Risk?
Threats hover inside and outside the organization
Organizations are not always ready for risks or for new risks that keep adding.
Organizational vulnerabilities to risk, the financial crises of 2007 and 2008 marked a turning point in rethinking the role of an organization’s risk culture.
Company Logo
Risk Breakdown Structure
Company Logo
Company Logo
Categories of risk
Natural, manmade, pandemic, employee injuryHazard risk•Natural hazards
Customer specific risks, risk to brand, risk from competitors Strategic risk•Business related risks
Interest rate risk, liquidity risk, working capital adequacy risk, Financial risk•Quantitative risks
Stages of risk management
Assess-Analyse-Treat
Company Logo
•Context of the organization
•Understand business
• processes
•Understand threat profile
Risk Assessment
•List of critical processes /assets
•List of threat-vulnerabilities-consequences
•Making the likelihood matrix and setting rating scale for risks identified
Risk analysis and rating •Avoid
•Accept
•Share/Transfer
•Mitigate
Risk Treatment
Risk Scenarios
Company Logo
Effective risk culture
An effective risk culture promotes sound risk-taking, Takes emerging risks into account (beyond risk appetite), and ensures employees conduct business in a “legal and ethical manner.”
People who are lower in the organization hierarchy may not identify risks and hence risks may not be considered giving riske to exposure
Company Logo
Causes of failure of risk management
Mismeasurement of known risks;
Failure to take risks into account, i.e. mismeasurement due to ignored risk;
Failure in communicating the risks to top management;
Failure in monitoring risks;
Failure in managing risks; and
Failure to use appropriate risk metrics or measurement system.
Company Logo
Changing the risk culture…
Change is slow and needs efforts to unfreeze, convince the people and embed the change and refreeze the organization a the desired level of risk.
Organizations aim at embedding risk performance metrics into motivational systems.
Risk management considerations can be added to the KRIs and appraisal can include it as one of the metric.
Ensure that individuals having orientation and knowhow in risk are placed in roles where effective risk management is critical.
Company Logo
Making risk management sustainable
Integrating risk management lessons learned into communications, education and training.
Holding people accountable for their actions.
Refining risk performance metrics to reflect changes in business strategy, risk appetite and tolerance.
Redeploying individuals to reflect changes to business strategy and priorities.
Company Logo
Requisites for embedding change
Company Logo
Awareness
•Of what change is to be made
•Who is to make the change
•Persons authorizing change
Agility
•Ability to respond to queries
•Timely effecting of change
Effective resources
•People
•Services
•Applications
•Utilities
Introducing a risk based culture
Unfreeze the organization
Initiate risk based programs in the organization
Refreeze the organization at a level of maturity higher
than what was started with
Company Logo
Unfreeze the organization
An organization exists at a certain level of risk acceptance and this is commensurate to the business and clients.
To prepare for risk conscious environment, it will be necessary to make people aware of the need to identify and assess risks and establish a risk management system within the organization.
Efforts to take signoff for risk initiatives have always proved to be vital in the success of risk management programs.
Consensus from people is a key to success, when goals are shared, commonality of objectives result.
Company Logo
Initiating risk management activities
Driving risk initiatives
Perform a risk impact analysis
Identify threat
Identify source of threat
Identify vulnerability
Identify risk
Determine likelihood of occurrence
Calculate impact if threat exploits the vulnerability leading to loss
Company Logo
Threat Vulnerability Risk
Undertake Training Awareness Sessions
Awareness sessions can be informal, during lunch hour in canteen or in a classroom.
People need to be encouraged to open up and share their experiences on risk and their perceptions.
Illustrative portrayal of common disasters like fire, power outage and live case studies shall be effective.
Company Logo
Organize Risk Workshops for different business groups
Discuss risk concepts and introduce audience with risks applicable to their group.
Discuss past precedents/incidents that have affected the business/department and frequency of such incidents
Discuss controls and note control lacuna in different areas under discussion.
This is a quasi-CSA (Control Self Assessment) where high risk areas are identified at the shop floor level
Company Logo
Review Asset Register
It is imperative that user management and business divisions have a list of assets and processes of which they are owners/custodians
They have to pick up from these assets/processes which are detailed/significant and which are baseline.
Only detailed processes will be selected for risk analysis
Baseline processes will be under genral risk management procedures.
Company Logo
Study Asset Classification Scheme
Information must be classified into-
i) Critical
ii) Vial
iii)Important
iv) Minor
Classification of information shall be made on sensitivity basis
Company Logo
Risk attitude/risk appetite
Risk attitude generally determines risk treatment; whether or not risks are to be tolerated, shared, avoided, retained or transferred and also whether these treatments are to be implemented or postponed to some future date. Like business continuity, a risk assessment Process is also driven by the top management.
Risk appetite-In the context of ISO 22301 standard, risk appetite refers to the amount and type of risk that an organization is prepared to accept, tolerate, or pursue.
Company Logo
Risk Tolerance Levels
Company Logo
Risk tolerance is a function of recognising those risks with which management is ready to suffer anomalies/loss.
Set Risk Criteria for Every Level
Threat Likelihood, Consequence Rating
Likelihood
of
Occurrence Consequence Threat Level Threat Rating
Low Low Low 1
Low Moderate Low 2
Low High Moderate 3
Moderate Low Low 2
Moderate Moderate Moderate 3
Moderate High High 4
High Low Moderate 3
High Moderate High 4
High High High 5
Company LDogo
Risk Dashboard
Company Logo
Prepare Threat List that is realistic for the business
Prepare a list of Threats-Vulnerabilities and give to users to select what is likely to affect them most
Make a threat-risk-impact analysis and rate all risks
Prioritizing risks in order of importance and based on cost-effect basis.
Company Logo
Match Threat with vulnerabilities
Threats
Fire
Earthquake
System downtime
Power outage
Hacker/cracker/sabotage
Disgruntled employee/dismissed employees
Theft
Unauthorized access
Vulnerabilities
Proximity to gas station
Glass structure of building
Network vulnerable
No redundancy
Firewall rules not configured properly
Allowed access to critical processes
No process for return of assets while leaving organization
Password sharing
Company Logo
To remove misconceptions arrange for second knowledge sharing
session
Interview business process heads
Take stock of existing controls
Identify vulnerabilities/gaps
Give it ranking in terms of criticality
NB: This can be effectively done in workshop mode
Company Logo
Identify existing controls
Threats are hovering inside and outside the organization.
A lot depends on an effective control system that safeguards against known risks.
A good management inculcates a risk culture by leading by example. I have witnessed an evacuation drill where the MD of the company was the first to walk after the alarm.
Being risk averse means being control savvy.
Company Logo
Company Logo
Question Time
3) The first requisite of risk management exercise is-
a) Risk strategy
b) Risk acceptance
c) Risk identification
d) Risk mitigationAssessing and Building a Risk Conscious Culture
Make Control Gap Assessment
Identify control gaps and suggest control measures
A CSA (Control Self Assessment) can be initiated and participation of line managers can be solicited to identify areas of high risk
Once risk gaps are identified, remediation measures can be defined and a time scale for meeting the remediation exercise can be determined.
Company Logo
Risk Assessment is a subjective exercise
To get best results people should be educated and guided towards using their business acumen, based on past precedents and future forecasts in assessing present risks and choosing appropriate risk treatment.
It is a collaborate and iterative exercise and hence embedding risk awareness and resilience to risk incidents is akin to taking vaccination against disease.
People run business processes and steered in the right perspective, people can safeguard organizational assets/processes.
Company Logo
Changing culture is always a challenge
Changing culture thus requires change at the beliefs level, which is often substantially more difficult than changing business process or information systems.
To complicate matters, there may be an overall company culture and sub-cultures across groups. Sometimes these can be in conflict.
While CEOs have the authority to lead cultural change across a company, they are limited in scope to drive belief changes in their specific sub-organization.
Company Logo
Culture is a matter of mindset
An integrated healthy atmosphere where people treat their work with ownership and responsibility and complement each other with the idea of one for all and all for one, risks will be minimised and dealt with promptly and at minim al expense.
Group programs, workshops, seminars, picnics and celebration for common festivals will promote a good cultural integration which is necessary for effective risk avoidance and mitigation
Company Logo