Value creation through optimising risk
-
Upload
david-berkelmans -
Category
Technology
-
view
255 -
download
0
description
Transcript of Value creation through optimising risk
![Page 1: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/1.jpg)
VALUE CREATION THROUGH OPTIMISING RISK
Garry Barnes Vice President ISACA
October 2014
![Page 2: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/2.jpg)
BACKGROUND
ISACA:
International Vice President
Strategic Advisory Council
Credentialing and Career Management Board
CISM Certification Committees
Sydney Chapter 2003-2012 (President 2008-10)
Security, Governance, Risk and Audit:
Managing Consultant, BAE Systems
Risk Manager & Information Security Consultant, Commonwealth Bank of Australia
Information Security Manager & IT Audit Manager, NSW Departments of Education & Commerce
CISA CISM CGEIT CRISC MAICD
![Page 3: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/3.jpg)
COMMON APPROACHES
3 | 22/10/2014
Risk = Threats x assets x vulnerabilities
Risk: the likelihood that a loss will occur.
![Page 4: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/4.jpg)
RISK MANAGEMENT AT LOW PERFORMING ORGANISATIONS
✗ Is used primarily for compliance:
✗ Supporting compliance reporting ✗ Identifying and assessing
controls to minimise breaches
✗ Is constrained by internal organisational boundaries ✗ Is reactive:
✗ An additional and separate step in decision making ✗ Identified risks viewed as poor
performance
✗ Static view of risk: ✗ Ignoring changing business
requirements ✗ Once a year risk
assessment
✗ Ineffective risk monitoring: ✗ Inaccurate measurement of
actual risk levels ✗ No enterprise-wide view
provided by risk aggregation
✗ Wrong accountability model: ✗ Risk Managers (or Owners)
vs Risk Facilitators (or Function)
![Page 5: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/5.jpg)
RISK MANAGEMENT AT TOP PERFORMING ORGANISATIONS
ü Is closely linked with strategy: ü Risk with new products and
services, Mergers and Acquisitions, etc.
ü Is a proactive and consistent: ü Risk information is available
to support strategic, change and operational decisions
ü Integrates Enterprise and IT risk:
ü Common language ü Aggregation of risks
ü Links with business outcomes:
ü Creates awareness and understanding of risk policy
ü Risk Appetite Statement provides a reference point leading to better business decisions
![Page 6: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/6.jpg)
The Governance Objective:
“Value creation means realising benefits at an optimal resource cost while optimising risk”
COBIT 5 – “RISK OPTIMISATION”
![Page 7: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/7.jpg)
NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
7 | 22/10/2014
![Page 8: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/8.jpg)
COBIT 5 FOR RISK – “DUALITY OF RISK”
8 | 22/10/2014
Do things well and preserve or gain value
Do things badly and lose or fail to gain value
![Page 9: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/9.jpg)
NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
9 | 22/10/2014
![Page 10: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/10.jpg)
ADDRESSING TWO PERSPECTIVES ON RISK
10 | 22/10/2014
![Page 11: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/11.jpg)
RISK FUNCTION CAPABILITIES
11 | 22/10/2014
Risk governance e.g. 3LoD
Risk culture & behaviours
Risk training Risk systems
Risk methodology
Risk principles, policy
Risk accountability
Risk criteria
Risk intelligence
![Page 12: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/12.jpg)
RISK MANAGEMENT CAPABILITIES
12 | 22/10/2014
Risk planning
Risk monitoring
Risk methodology
![Page 13: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/13.jpg)
CORE AND SUPPORTING RISK PROCESSES
Core risk processes
Key supporting processes
![Page 14: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/14.jpg)
CORE RISK PROCESSES
Governance process: EDM03 – Ensure risk optimisation:
This process covers the understanding, articulation and communication of the enterprise risk appetite and tolerance and ensures identification and management of risk to the enterprise value that is related to IT use and its impact.
• Define and communicate risk thresholds
• Make sure key IT-related risk is known
• Ensure risk does not exceed appetite
![Page 15: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/15.jpg)
CORE RISK PROCESSES
Management process: APO12 – Manage risk:
This process covers the continuous identification, assessment and reduction of IT-related risk within levels of tolerance set by enterprise executive management.
• Collect appropriate data and analyse risk
• Maintain risk profile and articulate risk
• Define action plan and respond
![Page 16: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/16.jpg)
NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
16 | 22/10/2014
![Page 17: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/17.jpg)
RISK SCENARIOS
Common risk identification challenges:
• Volume of identifiable risks
• Generic risk descriptions – misalignment with business
• Process and control failure risks – incidents!
• Over specification of risk detail
• Repetition of risk across BU’s
17 | 22/10/2014
![Page 18: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/18.jpg)
RISK SCENARIOS
18 | 22/10/2014
![Page 19: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/19.jpg)
NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
19 | 22/10/2014
![Page 20: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/20.jpg)
ISO 31000: Amount and type of risk that an organisation is willing to pursue or retain COBIT 5 for Risk The broad-based amount of risk in different aspects that an enterprise is willing to accept in pursuit of its mission (or vision).
“Acceptable Level of Risk”
WHAT IS RISK APPETITE?
![Page 21: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/21.jpg)
Risk Appetite
Design
Construct
Implement
Govern
DESIGNING RISK APPETITE
Risk Appetite and Risk Tolerance Consultation paper Institute of Risk Management May 2011 – Figure 1 Used with permission
![Page 22: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/22.jpg)
Risk Appetite
Design
Construct
Implement
Govern
DESIGNING RISK APPETITE
Business risk context Risk capacity and capability Risk philosophy Risk outcomes
![Page 23: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/23.jpg)
Policy often preceded Risk Appetite Statements:
• Legacy effect of historic policy positions
• Enterprise-wide policies lack granularity for local risk/reward decisions
• Tightening of policies after incidents
Codes of Conduct:
• Great place to start when developing a Risk Appetite Statement
• Language the Board and Executives understand
• Often covers some key areas of risk – expectations, compliance
POOR POLICIES INHIBIT OPTIMISING RISK
![Page 24: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/24.jpg)
Risk Appetite
Design
Construct
Implement
Govern
CONSTRUCTING RISK APPETITE
Risk domains Risk appetite statements Risk metrics (KRIs) Risk tolerances
![Page 25: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/25.jpg)
DETAILED RISK APPETITE STATEMENTS
Very Low
• Avoid exposures • Ensure awareness and operation of controls • Assurance of KPIs and KRIs
Low
• Minimise risk exposures • Provide awareness and operation of controls • Monitor and report KPIs and KRIs
Moderate • Allow local decisions for risk/reward, cost/benefit • Use timely risk information to drive risk response
High
• Seek strategic opportunities • Manage risk and return • Communicate expectations and outcomes
e.g. compliance risk
e.g. operational risk
e.g. program risk
e.g. investment risk
![Page 26: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/26.jpg)
Risk tolerance levels are tolerable deviations from the level set by the risk appetite definitions
RISK TOLERANCE
Risk Appetite and Risk Tolerance Consultation Paper Institute of Risk Management 2011 Used with permission
![Page 27: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/27.jpg)
Risk Appetite
Design
Construct
Implement
Govern
IMPLEMENTING RISK APPETITE
Communicate & train Risk calendar
Risk tools Measure against KRIs
![Page 28: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/28.jpg)
IMPLEMENTING RISK APPETITE
Communicate
Inform key stakeholders: • Directors, Executives,
Business and Operations Managers
Clarify accountability between risk function and risk management roles
Provide tools and guidance
Enable active use of the risk appetite statements in daily business operations Deploy Risk Function as support for risk processes
Monitor
Monitor operational metrics and Key Risk Indicators Perform meaningful risk aggregation Provide and relevant timely reporting
Review
Conduct periodic reviews (stress tests) Use risk assessments, operational metrics and incident data to refine risk appetite and processes
![Page 29: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/29.jpg)
GOVERNING RISK APPETITE
Risk Appetite
Design
Construct
Implement
Govern
Assess and act on metrics
Monitor risk profile Monitor business change
![Page 30: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/30.jpg)
Risk Appetite
Design
Construct
Implement
Govern
RE-DESIGNING RISK APPETITE
Revise as required Communicate
Refine policies, etc.
![Page 31: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/31.jpg)
Risk Appetite
Design
Construct
Implement
Govern
SUMMARY: DESIGNING RISK APPETITE
Business risk context Risk capacity and capability Risk philosophy Risk outcomes
Revise as required Communicate
Refine policies, etc.
Assess and act on metrics
Monitor risk profile Monitor business change
Risk domains Risk appetite statements Risk metrics (KRIs) Risk tolerances
Communicate & train Risk calendar
Risk tools Measure against KRIs
![Page 32: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/32.jpg)
EXPLORING THE CHALLENGES – OBTAINING VALUE
32 | 22/10/2014
Risk and opportunity
Risk scenarios
Risk appetite
Risk capability
“The best risk management is about managing risk to business performance against specific outcomes or objectives.” Excerpt From: Brian Barnier “The Operational Risk Handbook for Financial Companies: A guide to the new world of performance-oriented operational risk.”
![Page 33: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/33.jpg)
Context – Scenarios, outcomes, framework, appetite, KRIs (i.e. risk function and risk management enablers) must be relevant to the risk context of the business
Consistency – Develop risk appetite and scenarios and then identify granular but consistent appetites for risks across the business in business language
Completeness – Address all key risk domains across the business chain and aggregate sensibly
Culture – Align capability and appetite with risk maturity and desired risk culture
Cooperation – Encourage proactive behaviours and guidance on management of risk and risk appetite
Current – Monitor for change using risk information and refine responses as required
CHARACTERISTICS FOR RISK OPTIMISATION
![Page 34: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/34.jpg)
The Governance Objective:
“Value creation means realising benefits at an optimal resource cost while optimising risk”
COBIT 5 – “RISK OPTIMISATION”
![Page 35: Value creation through optimising risk](https://reader033.fdocuments.in/reader033/viewer/2022060116/557dabf8d8b42acb768b4cd8/html5/thumbnails/35.jpg)
QUESTIONS?
35 | 22/10/2014