Copyright © 2012, Chapman Technology Group, Inc. All Rights Reserved.

Risk ManagementWhat Works

The Main Event 2nd Annual GRC SymposiumMay 16, 2012

Brookfield, Wisconsin.

Mark T. Chapman, CISSP, CISM, CRISCChapman Technology Group, Inc.

www.PhishLine.commchapman @ phishline.com

In theory, Risk Management should be easy.  Identify critical assets, consider potential risks, evaluate mitigating factors, measure results, take action, and repeat. 

In practice, many organizations struggle with the basic terms and concepts.   For those who master the concepts, the “exponentially increasing complexity” of risk management efforts can quickly overwhelm organizations of every size.   

I primarily didn’t want to:• Look like an idiot.• Get sued for saying or doing

anything dumb.

Secondarily, I didn’t want to• Be rushed to get there or be late.

Risk Assessment for aTelevision Interview

• Extra suit in the car.• Extra laptop.• Charge cellphone and laptops.• Practice the demo.• Gas up the car the night before.• Leave the house early.

Preemptive Mitigation for a Television Interview

• Required Cell phone was completely discharged 2 hours before the shooting.

• I almost tripped on a lighting cable in the studio.

Unanticipated Risks for aTelevision Interview

Financial Loss:

While shooting the in-the-field portion of the story,

I got a parking ticket !

Damage Assessment for aTelevision Interview

Financial Loss

Strategic Harm

Reputation Damage

Technical Breaches

Compliance Failure

Evil D

oers

Competitors

Natural D

isaste

r

Employees

Tech

nology

ConfidentialityIntegrity

AvailabilityLiability

Policy

Risk Area

Threat Source

Category

Financial Loss

Strategic Harm

Reputation Damage

Technical Breaches

Compliance Failures

Evil D

oers

Competitors

Natural D

isaste

r

Employees

Tech

nology

ConfidentialityIntegrity

AvailabilityLiability

Policy

Risk Area

Threat Source

Category

Risk Area

Threat Source

Category

Risk Area

Threat Source

Category

Reputation Damage

Risk Area

Threat Source

Category

Reputation Damage

Employe

es

Risk Area

Threat Source

Category

Reputation Damage

Employe

es

Liability

Risk Area

Threat Source

Category

Reputation Damage

Employe

es

Liability

Risk Area

Threat Source

Category

Reputation Damage

Employe

es

Liability

(Reputation Damage, Employees 5)

Risk Area

Threat Source

Category

Reputation Damage

Employe

es

Liability

(Reputation Damage, Employees 5)

(Reputation Damage, Liability 3)

Risk Area

Threat Source

Category

Reputation Damage

Employe

es

Liability

(Reputation Damage, Employees 5)

(Reputation Damage, Liability 3)

(Employees, Liability 1)

Risk Area

Threat Source

Category

Reputation Damage

Employe

es

Liability

(Reputation Damage, Employees 5)

(Reputation Damage, Liability 3)

(Employees, Liability 1)

Risk Area

Threat Source

Category

Reputation Damage

Employe

es

Liability

(Reputation Damage, Employees 5)

(Reputation Damage, Liability 3)

(Employees, Liability 1)

This “Cublet” is a specific Risk Area, Threat Source, and Category.

The score is computed by theProjected values.

Score(Reputation Damage, Employees, Liability) =Function(1, 3, 5)

• Preemptive Mitigation?• Unanticipated Risks?• Damage Assessment?

• Why or Why Not?

Did the “formal process” help?

• People manage risk ALL THE TIME.• Companies manage risks ALL THE TIME.• It should feel natural, logical,• And, Risk Management should ALWAYS

pass the “Common Sense” test.

What Works!

• Preparation

• Universe Definition

• Scoring

• Hitting the Mark

High-Level Approach – PUSH

PUSH Approach was first presented to the FFIEC Information Technology Conference by Mark Chapman in 2007.

Preparation• Earn Management Buy-In• Decide to In-Source or Outsource • Anticipate the Benefits• Identify the Specific Purpose• Evaluate Automation Options

Earn Management Buy-InMotivators:• Compliance / Fear• Means to justify other

initiatives• New Management Eager to

Learn• “True Believers”

Challenges:• “It costs money”• “I already know the risks

better than anyone”• “We have more important

things to do”

Results:

1. Go through the motions

2. Do it right

In-Source or Outsource?• Current Capability

– Do we have the capability or can we train in-house?– Can we identify a firm with independent,

knowledgeable and sufficient resources?

• Future Capability– Turnover of trained employees– Dependence on consultants

Anticipated Benefits• To learn something new• To validate or quantify a concern• To standardize communication of risk • To establish common language and tools• To satisfy the auditors

Specific Purpose• Audit Planning• Budgeting• Compliance• Disaster Recovery• Policy Writing• Risk Management• Remediation• Vendor Selection

Hint:You must understand the specific purpose of the risk management project

Automation• Paper• Excel / Word• Specialized Software

• Preparation

• Universe Definition

• Scoring

• Hitting the Mark

High-Level Approach - PUSH™

Universe Definition• Goal:

– To Define an Appropriate Universe for the Size and Complexity of the Institution

• Choose the Number of “Dimensions”– Assets, Risks, Controls

• For Each Dimension– Define Scope, Granularity, Level of Detail– Populate the Universe

Copyright © 2005-2008, Chapman Technology Group, Inc. All Rights Reserved.

Risk Assessment MathIt seems Easy!• Assets – “Valuables” which must be protected• Risks – “Bad things” that could happen to “Valuables”• Controls – “Mitigating Factors” to limit impact of “Bad

Things”

Why is it so Difficult to Implement?

• 50 Assets X 50 Risks X 50 Controls = 125,000 Combinations!

• 600 Assets X 70 Risks = 42,000 Combinations before we get to controls!

Copyright © 2005-2008, Chapman Technology Group, Inc. All Rights Reserved.

Risk Management Universe

Assets

Co

ntro

ls

Risks

3-Dimensions*•Assets•Risks•Controls

* Technically, there is a fourth dimension,Instead of “Time” it is “Testing” which gets into Risk Monitoring.

2-Dimensional Example

How Many Dimensions?

Scope Assets Risks Controls

Business Impact Analysis

Inherent Risk Assessment

Risk-Based Audit Plan

Disaster Recovery Plan

Risk-Based Audit

Asset Universe

GranularityHow many levels of

assets do we want to consider?

Buildings

RoomsIndividual Bricks

DetailHow much information

do we want to understand for each

asset?

Asset Type

Asset Owner

Importance

Dependencies

ScopeBusiness Functions

Fixed-Assets

Strategies

Brands

Contracts

Cash

Intellectual Property

Products

People

Assets - Level of Detail

Determine the attributes to characterize assets.

Hint: Keep the list small and add as needed.

Assets – Documentation*Take the opportunity to centralize asset documentation:• Pictures, Diagrams, Schematics, Building Plans• Policies, Procedures• Contracts, Licenses, Vendor Data• Phone #’s, Key Contacts, Password Escrow

*Do the same thing for Risks and ControlsExample #1: Keep pictures of fire suppression, power and other critical infrastructure Example #2: Attach pictures of bad check writers

Risk Universe

GranularityHow many levels of risks do we want to

consider?

City-Wide Blackout

Accidental Power Disconnect

Mouse Chews Through Power Cord

DetailHow much information

do we want to understand for each

risk?

Risk Type

Threat Source

Likelihood

Impact

ScopePower Outage

Pandemics

Water Damage

Fraud

Computer Hacking

Employee Turnover

Tampering

Risks - Level of Detail

Determine the attributes to characterize risks.

Hint: Keep the list small and add as needed.

Controls Universe

GranularityHow many levels of

controls do we want to consider?

Use a Framework

Individual “Bricks”

DetailHow much information

do we want to understand for each

control?

Control Owner

Effectiveness

Compliance Info

Assessment Criteria

ScopeFinancial

Physical

Technological

Reputation

Legal

Insurance

Controls - Level of Detail

Determine the attributes to characterize controls.

Hint: Keep the list small and add as needed.

• Preparation

• Universe Definition

• Scoring

• Hitting the Mark

High-Level Approach - PUSH™

Scoring• Choose Scale• Normalize• Prioritize and Trim• Associate• Adjust Compound Scores

Choose Scale

Define a consistent scale. • Numeric (1-5), (0.0-1.0), (1-3), (0%-100%)• Descriptive (Low, Med, High), (Nice-To-Have, Normal, Critical)

NormalizeSet the Relative Importance of:• Risks with respect to other Risks• Assets to other Assets• Controls to other Controls

Prioritize and TrimGoal:

To combat the natural exponential growth of assessment efforts by reducing the number of low-priority assets, risks and controls.

Approach:

Select a threshold for exclusion from further risk assessment efforts while documenting decision. Retain all excluded data to accommodate priority changes and to reduce duplicate analysis next time.

Associate1. Be Selective

2. Use Common Sense

3. Document Reasons for Exceptions

Adjust Compound ScoresUse Initial Scores with Few Documented Exceptions.

• Preparation

• Universe Definition

• Scoring

• Hitting the Mark

High-Level Approach - PUSH™

Hitting the Mark• Evaluate Intended Specific Purpose• Write the “Final Report”• Track Actions Over Time• Evaluate Project Effectiveness

Intended Specific PurposeThe Risk Management can only “Hit the Mark” if it serves a purpose:– Audit Planning– Budgeting– Compliance– Disaster Planning– Policy Writing– Risk Management– Remediation– Vendor Selection

Characterize Assets

Identify Raw RisksConsider Mitigating Factors

Calculate Residual Risk Exposure

Create Audit PlanCreate Audit Program

Advance Important Items

Advance Areas of Higher Risk

Inventory Assets

Write the “Final Report”• Do not

– Put too much emphasis on the final deliverable– Think “bigger is better”

• Do focus on – Process used (brief)– Discoveries– Trends– Actions (proposed, planned or completed)

Copyright © 2005-2007, Chapman Technology Group, Inc. All Rights Reserved.

Manage Observations/Findings

Copyright © 2005-2007, Chapman Technology Group, Inc. All Rights Reserved.

Manage Observations/Findings

Evaluate Effectiveness• What did you learn through the process?• What unexpected benefits did you realize?• How did you keep the process from getting too

detailed or out of control?• How can you improve the process next time?• These charts look scientific and absolute -

how did you handle the inherent subjectivity?• Did you achieve your objectives?

Additional Consideration• Risk Tolerance• Trending• Monitoring• Disaster Recovery Planning• Monte Carlo Simulations• Surveys• Testing

• Preparation

• Universe Definition

• Scoring

• Hitting the Mark

Conclusion - PUSH™

1. Identify what you want to protect (Assets).What bad things could happen (Risks).Mitigating Factors (Controls).

2. Look at what has changed since last assessment. (Business/Technical Changes, Audit Findings, Incidents, Remediation Activities, Regulatory Changes.)

3. Communicate.

What Works!

• People manage risk ALL THE TIME.• Companies manage risks ALL THE TIME.• It should feel natural, logical,• And, Risk Management should ALWAYS

pass the “Common Sense” test.

What Works!

I didn’t want to…

• Look like an idiot.

• Go over/under time too much.

Risk Assessment for a Presentation to ISACA

Questions?

mchapman @ phishline.com

262.546.1867 ext. 7010

Thank You!

mchapman @ phishline.com

262.546.1867 ext. 7010