Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle

7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle

1/45

ITRiskManagementLifeCycleandenablingitwithGRCTechnology

DebbieLew([email protected]),SeniorManager,E&Y

StevenJones([email protected]),SeniorManager,E&Y


2/45

1. Whatisriskmanagement? Commonunderstanding

2. ITriskmanagementlifecycle

3. KeycomponentsofanITriskmanagementprogram

4. ResourcesandenablersforITriskmana ement

5. Whatdoestechnologyenablementmean?

6. Industry

perspective.

8. Trendsandchallenges

9. Riskprocessimplementation

10. GRCtechnology

implementation

considerations

11. Valueconsiderations


3/45

Is the identification, assessment, and prioritization of risks (as theeffect of uncertainty on objectives, whether positive or negative)

minimize, monitor, and control the probability and/or impact of

unfortunate events or to maximize the realization of opportunities.


4/45

Whatare

your

challenges

with

ITris managementinyour


5/45

IndustryPerspective

Riskmanagement,regulatory,andcompliancerequirementsare increasinglycomplexandintrusive(especiallyforfinancialservicesinstitutions)andhavebecome agrowingoperationalandfinancialburden. Theserequirementsarenotoptionalandmustbe

.

Institutionshave

often

approached

the

requirements

in

silos,

leading

to

the

creation

of

multipleriskgovernanceprocesses,methodsandinfrastructure.

Typicalcontrolfunctionsareexperiencingscopecreepduetoacombinationofexternalandinternalpressures. Highexpectationshaveblurredthelinesofauthorityand

responsibilityamong

the

control

units.

Costreductionimperativesarelimitingtheabilityofriskmanagementfunctionstokeeppacewithbusinessgrowth.

. amounts

of

time

and

moneyare

spent

complying

with

risk

requirements,

which

can

be

furtherburdenedbymultiplerequestsandduplicativeefforts.

,consolidated,andactionablegovernance,riskandcomplianceinformation.


6/45

Riskmanagementlifecycle


7/45

ITriskmanagementprogram

ITriskgovernanceandstrategy,andthesupportingorganization,resourcesandcomponents

usedtoestablishaneffective,operationalandsustainableITriskmanagementprogram

omponen scan nc u e:

Definedbusiness

drivers

that

align

to

Risk

Strategy,

Charter

and

Reporting

on

critical

successfactors

Defineregulatoryrequirementsandindustrystandardsforadherence

,governancestructureforoperatingtheprogram

ITriskmanagementstrategicplanthatdefinesprogramobjectives,businessdrivers

alignment,

critical

success

factors

and

measurements,

risk

governance

structure,

risk

managementprocesses,

roles

and

responsibilities,

risk

appetite

and

tolerance

guidance,

s ra eg can ac ca n a ves, me nesan wor e or or es gnan implementations,interdependencieswithotherfunctionaloperations ERM/ORM,Security,BCM,Compliance,SOX,etc.

Definedriskmanagementpoliciesandstandards

Defined and documented taxonom

DefinedIT

Risk

&

Control

Framework

Process/Risk/Control

Model

Rating,scoringandweightingmodelorquantificationmodel

Riskidentificationprocess internalandexternaldataminingfortrends,analysisandclassification

Riskprofilingattributesandprocess


8/45

BusinesscaseandvalueofanITRisk(GRC)

Effective,documentedresponsetonumerousregulatory/industry/audit/compliance requirements

Repeatableprocessesandriskbasedtechnologydecisionsproduce812%costsavings

Average

from

various

sources

including

Gartner,

Forrester,

and

the

Risk

Management

Association

Reducesiloedanddu licativeefforts

Linesofbusiness/functionsexperiencingassessmentfatigue

Consistentcontrolsandconsistenttestingstrategyfocusedjustonhigherriskareasdeemed

key

for

the

organization Betterallocationoftechnologyspendandresources

Defensible,riskbaseddecisionstoproperlyallocatetechnologyspendtohighestriskareas

Manageunknownrisk

Quicklyidentifynewrisksandquantifycostofexposurethroughconsistentprocesses(newsystems,newtechnologies)

Enablego

to

market

for

new

ventures,

emerging

technologies,

and

business

products

Systemstability/performance

Reducesystemfailureswithriskbasedapproachtosystemandarchitectureinvestmentse.g.,identificationandcategorizationoffailuretrendsandissueswithsystemsallowing


9/45

RiskIT

Framework

and

Practitioners

Guide

COBIT5Framewor an supportingpro ucts


10/45

ISACAsRiskITFrameworkandPractitionersGuide

RiskITisaframeworkbasedonasetofguidingprinciplesan ea ur ng us ness

processesand

management

guidelinesthatconfirmtheserinci les.

RiskITframeworkistobeusedtohelpimplementITgovernance.

Organisationsthathaveadopted(orareplanningtoadopt)CobiTastheirIT

Governance

ramewor

canuseRiskITtoenhancerisk

management.


11/45

RiskITFramework


12/45

COBIT5

TheCOBIT5governanceormanagementpracticesaree uivalenttotheRiskITprocesses.

TheCOBIT

5activities

are

equivalenttotheRiskITmanagementpractices.

COBIT5followsthesamegoalandmetricconceptsasRiskIT,butthesearerenamedenterprise

goals,

IT

related

goals

an processgoa sre ec nganenterpriselevelview.

COBIT5providesRACIchartsdescribingrolesand

toRisk

IT.

FutureenablerincludesCOBIT5forRisk

12


13/45

MeetingStakeholderNeeds

Principle1.MeetingStakeholderNeeds

n erpr sesex s ocrea eva ue or e rs a e o ers.

13Source: COBIT 5,

figure

3.

2012

ISACA All

rights

reserved.


14/45

COBIT5:Enabling Processes

14


15/45

EnablingProcessAPO12 ManageRisk


16/45

Whenyouheartheterm,GRC,whatdoesitmeantoyouandyourorganization?


17/45

WhatdoesGRCtechnologyenablementmean?


18/45

Thedevelopmentofbusinessalignedrequirementstodrivetheuseof

technologytodesign,enhance,implementandoperationalize

Organizationsthat

use

technology

to

enable

their

GRC

processes

have

the

potential

to

reducethecostofriskmanagement,enhancecomplianceandaudit,streamlinereporting,bettermanagerisk,anddeliverinsightforbetterdecisionmaking. By

,

enablingtechnology,companiescanbuildaneffectivefoundationthatallowsthemtobuildefficiency,integrityandconsistencyintotheirprocesses:

Datamapping

to

identify

critical

relationships

between

corporate

objectives,

risks

and

con ro s;

Workflowtooptimallycoordinateactivitiesacrossmultiplelayersoftheorganization;

Decisionsupportnecessaryforplanningandreporting;

Managementofrisksfromidentification,toassessmentandtreatment;

o e mu t p er s erarc esan ntegrater s nte gencew t ot erassetan r s information

systems;

UnderstandingtheholisticITProcess,RiskandControlenvironmentinplacewithinanorganization;and

, ,indicators)acrosstheITenvironment.


19/45

Governance,Risk&Compliance

toolspace


20/45

Businessdriversfortechnology

enablement


21/45

Businessdrivers Increasinglycomplexandupdatedriskmanagement,regulatoryandcompliance

requirements,andBoardandshareholderexpectations

PendingDoddFranklegislation

n ncrease pressure ocomp yw

RegulatoryupdatesacrossFFIECandBITS

PCIDSSv2.0

Du licationofrisk overnance rocesses methodsandinfrastructure

Toomanysiloedassessmentsacrossfunctionalareasoftechnology

Nonaggregatedreportingacrossmultiplesourcesofriskintelligence

Inconsistentrisktaxonomies

Controlfunctionsexperiencingscopecreepandhighexpectationshaveblurredlinesofauthority/responsibilityamongstcontrolunits

DuplicationofcontrolsacrossmultipleITunits

Multiplesharedcontrolsthatcouldbecondensed

r v ng owar scon ro convergencean au oma e con ro mon or ng roug ec no ogy

Costreductionimperativesarelimitingtheabilityofriskmanagementfunctionstokeeppacewithbusinessgrowth

ITriskmana ementre uirementshaveincreasedwhile ressureisfacedacrossavailablebud etandheadcount


22/45

Linesofbusinessareexperiencingriskmanagementprocessfatigueduetotheamountof

timeandmoneyspentcomplyingwithriskrequirements

Repeatandoverlappingassessmentsoverfunctionalareasoftechnology

Timecommitment

required

to

follow

organizational

risk

management

processes

is

placing

aburden

on

the

first

line

ofdefense

Nonprioritizedapproachtoriskmitigationleadingtopotentialimproperallocationoffunds

Managementisdemandingmorecomprehensive,consolidated,andactionable

governance,riskandcomplianceinformation

Reportingof

risk

management

activity

and

outcomes

across

multiple

hierarchies

is

achallenge

for

IT

risk

functions

Organizationsarefacingchallengeswhenattemptingtoincorporateriskintelligenceacrosstheorganization

Mergers&Acquisitions Multipleriskprogramsrequiringconsolidationandaggregation

ITrisksinheritedfromlegacyenvironments


23/45

Mostcompanieshavetakenaverysiloedapproachtoriskandcompliancemanagementwhichcreatesmultipleredundanciesandextensiveinconsistencyinhowrisksareassessedandmanaged.

External regulators,analysts,investors

Board/seniormanagementoversight

Boardoversight

Audit

committee

Compensation

committee

Risk

committees

Other

committee

u

committee

s

committee

er

committees

ternal

ntrol

Executivemanagement

CEO CFO CRO GeneralCounsel

Internal

audit

Risk

management Compliance

Internal

control

Information

technology

Legaland

regulatory

External

audit

Internal

audit

In c

External

audit

Alignedmandateandscope

Business

unit

Business

unit

Business

unit

Business

unit

Businessunit

Businessunit

Businessunit

Businessunit

Consistentmethods

and

practices

Commoninformationandtechnology


24/45

Trendsandchallenges


25/45

KeyissuesandtrendsfacingGRCtools

LackofaGRCstrategy,visionandholisticbusinessandfunctionalrequirementscan ea toincorrecttoo se ections,over u get

implementationsof

GRC

tools,

or

misuse

of

GRC

technology.

ThereisacontinuedevolutionandbroaderuseoftechnologyforGRC.

TherehasbeenarecententranceofsoftwareheavyweightsintotheGRCmarket.

assessmentrulesenginesalongwithcontinuousauditing,monitoringandcontroltesting.

GRCvendorsaredevelopingrelationshipswithotherapplicationvendors

(competitorsand

complementary

products)

to

extend

the

range

of

the

software.Othershavebeenacquiredtocombineproductofferingsintolarger,morecomprehensivepackages.


26/45

KeyissuesandtrendsfacingGRCtools

AlackofgovernanceandaccountabilityforGRCtoolscanlimitthereturn

oninvestmentfromaGRCsolution.OwnershipofGRCtechnologyis

crucia to rivingconsistencyinmet o o ogy,reportingan presentation.

Manyorganizations

are

designing

aholistic

GRC

technology

ecosystem

to

achieveholisticriskintelligenceacrosstheenterprise.

TherearemultipleregulatoryenvironmentsthatcanbecoveredbyGRC

tools,andnotoneGRCvendorprovidescontenttocoverallthe

environments. ThereisincreasedboardliabilityasitpertainstoITrisk.

OrganizationsarelookingatleveragingGRCtechnologytofacilitatea

centralcorporatepolicymanagementportal.

Thereis

outsourcing

of

compliance

monitoring

for

the

internal

and

externalbusinessenvironments.

Consultin firmsareeithertoola nosticorthe arenot.Man firmshave

strategicrelationshipswithGRCvendorsthatmayskewtheirperspective.


27/45

Currentstatelimitations DefinitionofGRC

ThedefinitionofGRCdiffersfromclienttoclientandvendortovendor,leadingtoan

inabilitytostandardizeGRCrequirementsandguidefuturedevelopment.

IsolationoffinancialriskmanagementfunctionalityfrommainstreamGRCsolutions

Nosingle

solution

available

AllsolutionsperformwellforcertainaspectsofGRC,butnoonesolutionprovidesa

.

Immaturedashboardingandmetrics

Notalltoolsprovidewebenabledreportinganddashboards.

Nonfinancial

RM

tools

do

not

provide

advanced

charting

capabilities

to

address

complex

riskscenarioanalysis.

Virtuallynonexistentglobalregulatorycontent

Inconsistentframeworkmappingandcontent

Onlyaselect

few

tools

allow

for

logic

based

assessments

(questionnaires,

surveys,

etc.),

whichintegratebusinessworkflowandriskcalculationsdrivenbyassessmentresults.

Riskcontrollibrarymanagementisnotintegratedintoassessmentstodriverisk

convergence.


28/45

Keyissues&trendsfacingGRC

Trends

Continuedevolutionandbroaderuseof

Issues

Nosilverbullet

tec no ogy or

Entranceofsoftwareheavyweights

intoGRC

market

ArchitectingaholisticGRCtechnology

ecos stem

NonstandarddefinitionofGRChampersability

todefinefuturestateanddriverequirements

Multipleregulatoryenvironments

Increasedboardliability

Integrationofwebservicestoenablerisk

andregulatoryintelligence

Implementationofacentralcorporate

policymanagement

portal

Manyofthesystemscurrentlyinusewere

developedforaspecificfunctionorsectorneed.

Thesevendorsarechallengedwithfinding

alternativeusesfortheirapplications

Immaturedashboards

and

metrics

Marketissuesare

drivingproduct

trends

Useofbusinessprocessmanagement

andrulesenginesalongwithcontinuous

auditing,monitoringandcontroltesting

Outsourcingofcompliancemonitoring

fortheinternalandexternalbusiness

Immaturecapabilitiestogainrealtimedata

feeds

Inconsistentframeworkmapping

Configurationflexibility

environments

Acquisitionsandalliancesareformingto

extendorenhanceproductoffering

Assessmentmethodologyandmaturity

Initiativeshouldbeadirectivefrom

executivemanagementwithagreement

fromallkeystakeholders


29/45

Whatare ourchallen es(anticipated)inselecting,configuringandimplementingGRCtechnology?


30/45

GRCtoolimplementationchallenges

Functionalrequirementsalongwithorganizationalandprocessconvergenceshouldbedefinedpriortotoolselectionbyperformingafeasibilitystudy

Organizationspurchasingasolution,andthenattemptingtoconvergetherisk

MaturityofvendorsolutionsisnotwhereitneedstobetomeetallGRCfunctionalrequirements

AlackofunderstandingofhowotherbusinesstoolscanintegrateintoGRCsolutionsandoffutureGRCstaterequirementsstillexist

ManyorganizationswillneedtocustomizetheirselectedGRCtoolorchangetheircurrentmethodologies,businessprocesses,andhierarchiestohaveasuccessfulGRCtoolimplementation

Contentmanagement

decision

if

aligning

to

leading

practices,

frameworks,

and

re ulations

adecision

needs

to

be

made

to

determine

if

ou

will

rel

on

avendor

to

provi ean managecontentgoing orwar orwi it ecustomize an manage yt eclient

Timeframesforimplementationisoftenunderestimatedmostorganizationstakebetween1224monthsforsuccessfulimplementationandforoperationalcompetenciestoberealized

GRC

tool

cost

is

often

underestimated

due

to

improper

calculating

of

customization

or

functionaland

process

modifications

that

will

be

needed

by

the

firm

LackofexperienceandknowledgeableresourcesthatarededicatedtoGRCtoolimplementation


31/45

AkeyconsiderationwhenanalyzingGRCsolutionsistheconceptofcustomization

vs.configuration.Thesearetwoverydistinctterms,andhavesignificantimpacton

.

ConfigurationreferstotheprocessofalteringaGRCsolutionbymakingbasicchangestothe

outoftheboxcapabilitytomeetbusinessrequirements.ThisprocesswillnotgreatlyenhanceaGRCsolutionsfunctionality.Examplesofconfigurationinclude:

ang ngco ors

Changingfieldproperties(i.e.,text,number,length,etc.)

Addingfields

Creatingbasic

calculations

CustomizationreferstotheprocessofalteringandenhancingaGRCsolutionbymaking

advancedchangestotheoutoftheboxcapabilitytomeetbusinessrequirements.This

processcangreatlyenhanceaGRCsolutionsfunctionality.Examplesofcustomizationinclude:

Buildingcustombusinessworkflow

UsingJavaScript

or

HTML

to

enhance

the

functionality

of

the

GRC

solution

Usingadvancedcalculationsandlogic

Integratingdatafrommultiplesystemsandsources


32/45

Complexity Support Needtoincreasecostto

achievebalance

AdministrationCustomizationComplexity Support

AdministrationCustomization

Whatstherightbalancefor


33/45

GRCtoolfunctionalcoverage

Governance Financial risk Risk managementMetrics, presentation

and reporting

Standards

Procedures

PRC framework

Asset and hierarchy

management

Risk modeling

Financial risk impact

analysis

Risk assessment

Risk identification

Risk analysis

KRIs

Threat and vulnerability

Ad-hoc reporting

Notifications

User interface

Statistical analysis

Historical trending

Data management

Awareness training

Project management

Information security

BCP/DR

Internal control

management

KRI/KPI management

Audit tracking

Data export

en or managemen

Service delivery

management

Compliance Audit Issuesmanagement Incidentmanagement

Regulatory contentManagement

Leading practice content

Management

Compliance monitoring

Program management Scheduling

Attestation

Evidence capture

SAS 70/SOC 2

Risk treatment Risk acceptance

Policy exceptions

Risk transference

Event capture Loss capture


34/45

ITGRCtoolvendorgeographic

footprintLeader:Bwise

Leader:RSAArcher,Thompson

Reuters

Presence:Allothers ,

ThompsonReuters

Leader:Bwise

Presence:RSAArcher,

ThompsonReuters

Leader:RSAArcher

Leader:Modulo

Presence:RSAArcher,

ThompsonReuters,Bwise

Leader:None

Presence:BWise

Leader:None

Presence:RSAArcher,

resence: ompson euters


35/45

Riskprocessimplementation


36/45

Populations/inventories/authorityinformation

e erm na ono on gura on anagemen a a ase an asse managemen oo

integrationforapplicationsandsupportinginfrastructure,databases,operatingsystemsanddata

centers

Identificationofrelevantindustryregulationsandbestpracticestoalignwith

Businesshierarchy Considerationsaroundfunctional,lineofbusiness(LOB)orentityhierarchyembeddedwithinthe

GRCtool

Determinationofdepthandbreadthofhierarchy

SSOintegration

Inte rationwithLDAP Li htwei htDirector AccessProtocol tosim lif userauthenticationand

user

access

administration

Accesscontrolstrategy

,


37/45

Potentialtechnologyenablement

coverage

ITRisk Op Risk ERM InternalAudit Regulatory

Risk

Legal&

Compliance InfoSecurity

PRCFramework

ProgramMgmt

IssuesMgmt

CaseMgmt

KRIs

ContentMgmt

UI/Metrics

/Dashboards

Other


38/45

GRCtechnologyimplementationconsiderations


39/45

KeyGRCfunctionalrequirements

Policy,StandardsandProceduresMgmt. ContentManagement

RiskMgmtProcesses(Assessments,KRIs,EventCapture,RiskProfiling,etc)

AuditProcesses AuditProcessesandWorkflow AttestationCapabilities Archival

en or anagemen RiskAssessmentandRiskAnalysisCapabilities RiskIdentificationandProfiling Issues,Mitigation,RiskAcceptanceLifecycle

Management TrainingandAwareness

on ro u oma on on or ng AutomatedControlTesting

Real

Time

Monitoring NotificationServices

Metrics,Measurements,andReporting Quantity&qualityoftemplatereports

Frameworks&HierarchyStructure(Org,Process,Risk,Control) AssetManagementCapabilities HierarchyStructureOrganizational,Process,Risk,

Control,Metrics

and

Reporting

AdhocReporting RiskSimulationCapability RiskWeighting&Calculations StatisticalAnalysis Dashboards

FinancialRisk

Mana ement

TechnologyControls/Information Security

RegulatoryMapping RegulatoryMappings RegulatoryComplianceCapabilitiesandLeading

PracticesStandards

FinancialRiskModeling FinancialRiskImpactAnalysis QuantificationEngine EventLoss/CaptureIncidentManagement FinancialRiskContent(i.e.ratings)

, , ,PCI,FFIEC,BITS,COSO,ISO27002,CobiT,

ITIL,

etc. ComplianceMonitoring

BusinessProcessManagement BusinessWorkflowManagement

Interoperability/ApplicationInterface/Open

Standards ConfigurationCapabilities CustomizationCapabilities

Ke GRC f nctional req irements


40/45

KeyGRCfunctionalrequirements

. AvailableModulesanddescriptions

AdditionalFunctionality

SystemAdministration Backup&Recovery

ManagementAssurance

EaseofUse

Auditingand

Logging

VendorQualifications

UserAdministration

Documentation&

Guidance

SecurityConfiguration

TechnicalArchitecture

ClientBase

Marketratingsandrankings

ReleaseCycle

Im lementationRe uirements

InfrastructureRequirements

ApplicationRequirements

IntegrationCapabilities

DataOwnership

&

Management

ProductTraining

RiskBasedServices

Maintenance&Support

EnterpriseScalability

SingleSignOnIntegration

DataIntegrityandAudit

FutureProductRoadmap

Deployment&Migration

End

User

Experience/Interface TeamingandSupportfromVendor

IndustrySaturation/Customerloyalty

Fees,ContractsandSoftwareArrangements

,

exercisemustbedonetoensurepropertoolselection.


41/45

Designconsiderations

Convergenceofrisks,controls,processes,issues

Roadmapand

strategic

approach

Reportingrequirementsanddataconsiderations

Sourceofrecordvs.datafeeds

Im lementationmana ement

Functionaland

technical

requirement

validation

Supportpersonnel

GRC technology enablement


42/45

GRCtechnologyenablement

Suggested key milestones Suggested program deliverables

Development of technical specifications from business

and functional requirements Detailed design of core foundational components

Organizational hierarchy

Technical specifications for risk assessments,

issues management, and reporting Core framework solution implementation

Risk process solution implementation

Process hierarchy

Risk Hierarchy

Control Hierarchy

Hierarchy relationships and interdependencies

Reporting and dashboarding implementation

UAT completion and a run book/design binder

Training material and procedural guides

Design and implementation of risk assessment

methodology and assessments

Design and implementation of Issues Management

Design and implementation of additional risk

management processes

Design and implement reporting and dashboarding

requirements


43/45

Valueconsiderations

V l iti


44/45

Valueproposition

Measurableanddocumented

transparencyandcompliance

Decreasedexposure

to

fraud,

catastrophiclossesandthefull

comp men o opera ona r s s

Preparedtoanticipateandrespondto

newandchangingregulatorymatters

Greaterinsight

and

more

effective

decisionsupport

Betterequippedtolowercostand

improveperformance

enterpriseinformation


45/45

Thankyou!

Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle

Documents

Transcript of Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle