The Detroit Chapter of the IIAPresents

LOGO

By Priti Sikdar (FCA, CISA, CISM, CRISC, ISO 27001 LA, BS 25999 LA, PRINCE 2(FC)

Assessing and Building a Risk Conscious Culture

If You Have Questions…

If you have questions during the webcast:

– If necessary,

exit Full Screen View

by pressing the Esc key

– Submit questions

through the

Ask a question button

Earning CPE Credit

In order to receive CPE credit for this webcast, participants must:

Attend the webcast on individual computers (one person per

computer)

Answer polling questions asked throughout the webcast

When answering polling questions, select your answer and the

click “Vote” button (next to the “Ask a Question” button) to

submit / save your answer.

CPE certificates will be sent to the e-mail address on your

BrightTALK account within two weeks of this webinar.

A) Member Detroit ChapterB) Member – Central Region District 2 (Fort Wayne, Toledo,

Michiana, W. Mich., Lansing) C) Member – Other DistrictD) Non-member

Please tell us your member status

Risk-an inevitable part of every business!

Company Logo

Risk n Return are inversely proportional

Company Logo

My risk is other’s opportunity!

Opportunity

Risk

Risk is all pervasive

Elements of organization

Risk can pervade any of the elements

Tone at top is a good determinant of risk culture

A secure risk culture can provide both stability and a competitive advantage

Company Logo

Vulnerabilities are mostly due to people

Lack of security training

Unavailability of proper job descriptions

Management do not give importance to risk evaluation activities

Surfing on unsecure websites

Lack of pre-screening for new employees

Company Logo

Risk Culture-definition

“Risk culture can be defined as individual and group behaviour within an organization that determines the way in which the company identifies, understands, discusses and acts on the risks the organization confronts and takes.”

(Source: “Reform in the Financial Services Industry : Strengthening Practices for a More Stable System .” Institute of International Finance, 2009)

Company Logo

Assess level of maturity in risk management

The level of understanding/maturity is to be considered before designing risk strategy to embed risk within the culture of the organization.

At a higher level, organizations may have their own risk frameworks or opt for risk standards like ISO 27001, ISO 31000, that define specific control objectives.

Company Logo

People determine organizational culture

The way an organization works is largely dependent on the people culture.

RISK is all pervasive and perceptions to risk differ from person to person and from organization to organization.

Organizations may choose different ways to deal with risk and this decision is a subjective decision.

Company Logo

Question Time

1) Risk is the outcome of threat exploiting a vulnerability within the organizational system-

i) True

ii) False

Company Logo

Understanding Risk

Organizations need to communicate their risk perceptions to employees

Company Logo

Management to communicate expectations

Management to communicate risk management expectations for the organization

Define roles and responsibilities around risk.

Delivering communications from leadership using a common risk management vocabulary.

Setting risk accountabilities.

Conducting general education and customized risk training programs based on employees’ roles.

Embedding risk management at induction stage.

Refining recruitment methods to include risk management capabilities.

Company Logo

Question Time

2) Risk that remains once all mitigation controls are implemented is called-

a) Business risk

b) Inherent risk

c) Residual risk

d) Strategic risk

Company Logo

Assessing and Building a Risk Conscious Culture

Board responsibility in risk

Does the board understand how innovative technologies could disrupt the organization’s business model?

Are innovative technologies and approaches being adopted that can better create value and capture greater market share for the organization?

Does the organization have a set of defined innovation KPIs linked to key growth objectives? Is regular reporting on such KPIs made?

Are innovative technologies across the industry being benchmarked?

How often do directors meetings held with business unit leaders and suppliers?

Is the Board aware of prevalent market practices? Are they aware of competitors’ practices?

Company Logo

False sense of security

Myth is risk is covered if you have insurance

Company Logo

What if you get surprises

WHAT IF insurance has expired yesterday and renewal cheque is still in office?

WHAT IF your assets are under-insured?

WHAT IF the risk is not covered by your contract?

Company Logo

Positive indicators of a healthy risk culture

Company Logo

• Commonality of purpose, values and ethics: The extent to which an

employee’s individual interests, values and ethics are aligned with the

organization’s risk strategy, appetite, tolerance and approach.

• Proper Understanding and application: Whether risk is a part of

organizational activities from strategic planning to day-to-day operations.

• A learning organization: Whether risk monitoring and correction is an

ongoing process and is moving towards continuous improvement.

• Organization is communicating their risk definition, perception and

criteria to all employees: There is constant interactive exchange on risk

related issues between departments and employees.

Why Risk?

Threats hover inside and outside the organization

Organizations are not always ready for risks or for new risks that keep adding.

Organizational vulnerabilities to risk, the financial crises of 2007 and 2008 marked a turning point in rethinking the role of an organization’s risk culture.

Company Logo

Risk Breakdown Structure

Company Logo

Company Logo

Categories of risk

Natural, manmade, pandemic, employee injuryHazard risk•Natural hazards

Customer specific risks, risk to brand, risk from competitors Strategic risk•Business related risks

Interest rate risk, liquidity risk, working capital adequacy risk, Financial risk•Quantitative risks

Stages of risk management

Assess-Analyse-Treat

Company Logo

•Context of the organization

•Understand business

• processes

•Understand threat profile

Risk Assessment

•List of critical processes /assets

•List of threat-vulnerabilities-consequences

•Making the likelihood matrix and setting rating scale for risks identified

Risk analysis and rating •Avoid

•Accept

•Share/Transfer

•Mitigate

Risk Treatment

Risk Scenarios

Company Logo

Effective risk culture

An effective risk culture promotes sound risk-taking, Takes emerging risks into account (beyond risk appetite), and ensures employees conduct business in a “legal and ethical manner.”

People who are lower in the organization hierarchy may not identify risks and hence risks may not be considered giving riske to exposure

Company Logo

Causes of failure of risk management

Mismeasurement of known risks;

Failure to take risks into account, i.e. mismeasurement due to ignored risk;

Failure in communicating the risks to top management;

Failure in monitoring risks;

Failure in managing risks; and

Failure to use appropriate risk metrics or measurement system.

Company Logo

Changing the risk culture…

Change is slow and needs efforts to unfreeze, convince the people and embed the change and refreeze the organization a the desired level of risk.

Organizations aim at embedding risk performance metrics into motivational systems.

Risk management considerations can be added to the KRIs and appraisal can include it as one of the metric.

Ensure that individuals having orientation and knowhow in risk are placed in roles where effective risk management is critical.

Company Logo

Making risk management sustainable

Integrating risk management lessons learned into communications, education and training.

Holding people accountable for their actions.

Refining risk performance metrics to reflect changes in business strategy, risk appetite and tolerance.

Redeploying individuals to reflect changes to business strategy and priorities.

Company Logo

Requisites for embedding change

Company Logo

Awareness

•Of what change is to be made

•Who is to make the change

•Persons authorizing change

Agility

•Ability to respond to queries

•Timely effecting of change

Effective resources

•People

•Services

•Applications

•Utilities

Introducing a risk based culture

Unfreeze the organization

Initiate risk based programs in the organization

Refreeze the organization at a level of maturity higher

than what was started with

Company Logo

Unfreeze the organization

An organization exists at a certain level of risk acceptance and this is commensurate to the business and clients.

To prepare for risk conscious environment, it will be necessary to make people aware of the need to identify and assess risks and establish a risk management system within the organization.

Efforts to take signoff for risk initiatives have always proved to be vital in the success of risk management programs.

Consensus from people is a key to success, when goals are shared, commonality of objectives result.

Company Logo

Initiating risk management activities

Driving risk initiatives

Perform a risk impact analysis

Identify threat

Identify source of threat

Identify vulnerability

Identify risk

Determine likelihood of occurrence

Calculate impact if threat exploits the vulnerability leading to loss

Company Logo

Threat Vulnerability Risk

Undertake Training Awareness Sessions

Awareness sessions can be informal, during lunch hour in canteen or in a classroom.

People need to be encouraged to open up and share their experiences on risk and their perceptions.

Illustrative portrayal of common disasters like fire, power outage and live case studies shall be effective.

Company Logo

Organize Risk Workshops for different business groups

Discuss risk concepts and introduce audience with risks applicable to their group.

Discuss past precedents/incidents that have affected the business/department and frequency of such incidents

Discuss controls and note control lacuna in different areas under discussion.

This is a quasi-CSA (Control Self Assessment) where high risk areas are identified at the shop floor level

Company Logo

Review Asset Register

It is imperative that user management and business divisions have a list of assets and processes of which they are owners/custodians

They have to pick up from these assets/processes which are detailed/significant and which are baseline.

Only detailed processes will be selected for risk analysis

Baseline processes will be under genral risk management procedures.

Company Logo

Study Asset Classification Scheme

Information must be classified into-

i) Critical

ii) Vial

iii)Important

iv) Minor

Classification of information shall be made on sensitivity basis

Company Logo

Risk attitude/risk appetite

Risk attitude generally determines risk treatment; whether or not risks are to be tolerated, shared, avoided, retained or transferred and also whether these treatments are to be implemented or postponed to some future date. Like business continuity, a risk assessment Process is also driven by the top management.

Risk appetite-In the context of ISO 22301 standard, risk appetite refers to the amount and type of risk that an organization is prepared to accept, tolerate, or pursue.

Company Logo

Risk Tolerance Levels

Company Logo

Risk tolerance is a function of recognising those risks with which management is ready to suffer anomalies/loss.

Set Risk Criteria for Every Level

Threat Likelihood, Consequence Rating

Likelihood

of

Occurrence Consequence Threat Level Threat Rating

Low Low Low 1

Low Moderate Low 2

Low High Moderate 3

Moderate Low Low 2

Moderate Moderate Moderate 3

Moderate High High 4

High Low Moderate 3

High Moderate High 4

High High High 5

Company LDogo

Risk Dashboard

Company Logo

Prepare Threat List that is realistic for the business

Prepare a list of Threats-Vulnerabilities and give to users to select what is likely to affect them most

Make a threat-risk-impact analysis and rate all risks

Prioritizing risks in order of importance and based on cost-effect basis.

Company Logo

Match Threat with vulnerabilities

Threats

Fire

Earthquake

System downtime

Power outage

Hacker/cracker/sabotage

Disgruntled employee/dismissed employees

Theft

Unauthorized access

Vulnerabilities

Proximity to gas station

Glass structure of building

Network vulnerable

No redundancy

Firewall rules not configured properly

Allowed access to critical processes

No process for return of assets while leaving organization

Password sharing

Company Logo

To remove misconceptions arrange for second knowledge sharing

session

Interview business process heads

Take stock of existing controls

Identify vulnerabilities/gaps

Give it ranking in terms of criticality

NB: This can be effectively done in workshop mode

Company Logo

Identify existing controls

Threats are hovering inside and outside the organization.

A lot depends on an effective control system that safeguards against known risks.

A good management inculcates a risk culture by leading by example. I have witnessed an evacuation drill where the MD of the company was the first to walk after the alarm.

Being risk averse means being control savvy.

Company Logo

Company Logo

Question Time

3) The first requisite of risk management exercise is-

a) Risk strategy

b) Risk acceptance

c) Risk identification

d) Risk mitigationAssessing and Building a Risk Conscious Culture

Make Control Gap Assessment

Identify control gaps and suggest control measures

A CSA (Control Self Assessment) can be initiated and participation of line managers can be solicited to identify areas of high risk

Once risk gaps are identified, remediation measures can be defined and a time scale for meeting the remediation exercise can be determined.

Company Logo

Risk Assessment is a subjective exercise

To get best results people should be educated and guided towards using their business acumen, based on past precedents and future forecasts in assessing present risks and choosing appropriate risk treatment.

It is a collaborate and iterative exercise and hence embedding risk awareness and resilience to risk incidents is akin to taking vaccination against disease.

People run business processes and steered in the right perspective, people can safeguard organizational assets/processes.

Company Logo

Changing culture is always a challenge

Changing culture thus requires change at the beliefs level, which is often substantially more difficult than changing business process or information systems.

To complicate matters, there may be an overall company culture and sub-cultures across groups. Sometimes these can be in conflict.

While CEOs have the authority to lead cultural change across a company, they are limited in scope to drive belief changes in their specific sub-organization.

Company Logo

Culture is a matter of mindset

An integrated healthy atmosphere where people treat their work with ownership and responsibility and complement each other with the idea of one for all and all for one, risks will be minimised and dealt with promptly and at minim al expense.

Group programs, workshops, seminars, picnics and celebration for common festivals will promote a good cultural integration which is necessary for effective risk avoidance and mitigation

Company Logo

Thank you for your time…

Company Logo

Email pritisikdar6@gmail.com