Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Risk Mgt _ Control - Art or Science


									Risk Management & Control:
      Art or Science?


        Wednesday 5th March 2008
                                About Myself
• Been working for 41 years!
• Jobs:
     MSS - Reception & Claims Assessment Clerical Officer
     MPNI - National Insurance Inspector
     DHSS - Regional Directorate Operations Manager
     DSS – IT Services Agency (ITSA) Projects Manager
     Internal Auditor
     Computer Auditor
     Computer Audit Manager
• Government, banking and business services.
• Currently Computer Audit Manager for HRG (Hogg Robinson Group).
• Relevant qualifications:
     MIIA/FIIA - Member/Fellow of the Institute of Internal Auditors, UK & Ireland
     CISA - Certified Information Systems Auditor, ISACA
     FBCS CITP – Chartered Fellow of the British Computer Society
• Present Chair of the British Computer Society Information Risk Management &
  Assurance (BCS IRMA) specialist group.
                       Why does risk management matter?

                                 “Troubles add up at Nike”
                               Jeff Manning -- The Oregonian,
                                        May 4, 1997

The Beaverton shoe giant faces slower sales growth, labor and wage controversies in
      its foreign factories and an unnerving 27 percent drop in its stock price.

Portland -- After two years of ripping through the industry like a tornado in a trailer park, Nike
Inc. is suddenly losing momentum. Retailers large and small report consumer demand for
Nike products has levelled off and, in some cases, declined.
Retailers say a small but noticeable fraction of customers are avoiding the brand on
Alarmed by reports of labor abuses in Third World factories, some shoe consumers say they
want nothing to do with the dominant name in the industry.
"We've seen a slight drop-off in Nike sales," said Pat Sweeney, president of the Fleet Feet
store in Sacramento, Calif. "I think it's because of the bad publicity the company's been
getting on their labor policies."
Why does risk management matter?
Why does risk management matter?
            Why does risk management matter?
• Severe flooding has affected principal cities across
  Europe including Paris, Dresden, Prague and Gloucester
                Why does risk management matter?

• Between 20 and 22 October,
      city of Manchester
  theOrganisations, especially those with modest margins,
       naturally do not tremors,
  experienced 4 earthwant to spend time and money on
          something that 3.9 on
  one of which reached will probably never happen ...
                       ... until it to
  the Richter scale – sufficienthappens!
  knock bottles off shelves and
    So, the do we make it easy for
  causehow collapse of chimneys organisations to prepare
  on residences.           for adversity?
• The UK was also in the grip
  of an extensive firefighter’s
  strike at the time. Businesses
               Answer: Risk Management and Control
  were warned to review their
  disaster recovery plans.
                              What is a Risk?

The potential that a given threat will exploit vulnerabilities of
an asset or group of assets to cause loss or damage to those

    Guidelines for the Management of IT Security (International Standards

                  Something bad WILL happen

                Something good WON’T happen
Examples of business risks

   •   Financial
   •   Operational
   •   Reputational
   •   Regulatory
   •   Legal
   •   Project
   •   Health & Safety
                         Typical IT-related risks

•   Non-availability of systems and/or data (temporary/long-term) + loss
    of work in progress at the time
•   Loss of key personnel (“single points of failure”)
•   Unauthorised, fraudulent or simply erroneous changes to data and
    programs, leading to loss of data integrity (accuracy)
•   Theft of assets – tangible or electronic
•   Confidentiality of personal information compromised
•   Symbolic actions (e.g. website defacement) and reputation/media
    damage – need to shut down service
•   Failure of a third-party supplier to deliver on its contract
•   Staff motivation/morale in reaction to adverse incidents
             Risk Management and Control – Some Definitions (1)

• Risk Management: The selection of those risks a business should take
  and those which should be avoided or mitigated, followed by action to
  avoid or reduce (exposure to) risk.
• Risk Analysis: Identifying the most probable threats to an organisation and
  analysing the related vulnerabilities of the organisation to these threats.
• Risk Assessment: Evaluation of existing physical, logical and
  environmental controls and assessment of their adequacy/effectiveness
  relative to the potential threats to the organisation.
• Business Impact Analysis: Identification of critical business functions and
  determination of the impact on the organisation of not performing them
  within acceptable tolerances.
• Inherent/Gross Risk: The level of perceived risk without the application of
  dynamic influences (such as control procedures).
             Risk Management and Control – Some Definitions (2)
• Residual/Net Risk: The level of perceived risk following the application of
  dynamic influences (such as control procedures).
• Risk Appetite: The amount of risk, on a broad level, an entity is willing to
  accept in pursuit of objectives.

• (Internal) Control: The policies, procedures, practices and organisational
  structures, designed to provide reasonable assurance that business
  objectives will be achieved and that undesired events will be prevented or
  detected and corrected.

• Internal Audit: Internal auditing is an independent, objective assurance
  and consulting activity designed to add value and improve an
  organisation's operations.

• Corporate Governance: The leadership, organisational structures and
  processes that ensure that the enterprise sustains and extends its
  strategies and objectives.
                Benefits of Formal Risk Management

 A clear understanding of risk can enhance decision making
 Exploit opportunities from a risk aware perspective
 Contain damage/loss and avoid surprises
 Effective direction and use of resources – look at real issues with less
  time spent “fire fighting”
 Increased likelihood of achieving business objectives
 Provide assurance to the Board and third parties that risks are
  managed to an acceptable level
 Stimulate inter-team communication and motivation
 Gives stakeholders greater confidence in our stewardship
 No more sleepless nights
                       Value-Added Risk Management


                                     risk to add
                    Exposed and                     Control to
                     destroying                    minimise risk

            Low                                                    Value

                    Ignorant       Managing        Obsessed

“Brakes off - out of control”   Approach to risk   “Brakes on - going nowhere”
                       Traditional/New Vision Continuum

Historical/Traditional                     The New Vision
 Assign duties/supervise staff             Empowered/accountable
 Policy/rule driven                        Continuous improvement
                                              /learning culture
 Limited employee                          Extensive employee
   participation                              participation and training
                                            Broad stakeholder
 Narrow stakeholder focus                    focus/corporate governance
                                            Staff at all levels, in all
                                              functions, are the primary
 Auditors and other
                                              control analysts/reporters
   specialists are the primary
   control analysts/reporters
The Risk Management Process – in a nutshell

                          Establish the
Communicate and consult     context

                                           Monitor and review
                          Identify risks

                          Analyse risks

                          Evaluate risks

                           Treat risks
The Risk Management Process – 1. Establish the context

                                 Establish the
       Communicate and consult     context

                                                  Monitor and review
                                 Identify risks

                                 Analyse risks

                                 Evaluate risks

                                  Treat risks
                     1. Establish the Context - Categorisation of Risk


                                         Design of the business

                   External                             Internal                         Alliances

  Change in      Change in                             How the                    Service
                              External      How                    Management                   Customer
     the            the                                business                   delivery                    Event
                               events    business is               and controls                 alliances
 parameters     environment                            changes                    alliances                 categories
                              specific    executed                  structure
of the sector    (general)                               itself

•   Provides a common language for risk – helps avoid ambiguity
•   Helps identification of common risks and accumulations across divisions/processes/
    geographical locations
                                                1. Establish the Context – Risk Areas

External Risks                                                                Internal Risks                                                                           Alliance Risks
                              Human resources                                How the business is                        Integrity
                              •   Recruitment                                                                           •   Fraud
                                                                                                                                                                       Service delivery
                              •   Performance evaluation                         executed                               •   Collusion                                   alliances
                              •   Skills and competencies                                                               •   Illegal acts                               • Partner/supplier selection
 Environmental                •   Training and development                                                              •   Unauthorised use of assets                 • Ongoing relationship
                              •   Promotion practice/career planning/    Financial                                      •   Theft                                        management/communication
 •   Political/legal                                                     •   Gearing
 •   Economic                     succession                                                                            •   Ethics                                     • Loss of intellectual property
                              •   Compensation/performance               •   Liquidity/cash flow                                                                       • Loss of customers
 •   Social                                                              •   Profitability
 •   Technological                incentives                                                                            Management information                         • Supplier/partner failure
                              •   Retention                              •   Budgeting and planning                                                                    • Quality
                                                                         •   Financial instruments                      •   Reliability
                              •   Discipline                                                                                                                           • Cost
                                                                         •   Pricing                                    •   Relevance
                              •   Employee well-being and morale                                                                                                       • Dependency on partner/
                                                                         •   Credit                                     •   Timeliness
                                                                                                                        •   Adequacy                                     supplier
                                                                         •   Pension fund                                                                              • Partner/supplier’s market
                              Operational                                •   Taxation                                   •   Performance measurement/indicators
 Sector                       •   Customer satisfaction                  •   Regulatory reporting
 • Competitive rivalry                                                                                                                                                      • Environmental risks
 • New entrants
                              •   Quality                                                                               Information systems                                 • Sector risks
                              •   Product/service failure                                                               • Data integrity
 • Substitute                 •   Performance gap                        Commercial & legal                             • Completeness and accuracy of update
   products/services          •   Planning                               • Establishing commercial contracts
                                                                                                                        • Logical security
 • Buyers                     •   Capacity                               • Interpretation and application of                                                           Customer alliances
                                                                                                                        • Availability
 • Suppliers                  •   Sourcing                                 legislation/regulations/contracts                                                           • Customer acceptance
                                                                                                                        • Data protection
                              •   Brand name erosion                     • Directors and officers wrongful acts                                                        • Ongoing relationship
                                                                                                                        • Information systems infrastructure
                              •   Winning/implementing new clients       • Professional liability                                                                        management/communication
                                                                                                                        • Systems specification, selection/
                              •   Facilities                             • Intellectual property                                                                       • Loss of intellectual property
                                                                                                                          development & implementation
                              •   Health & Safety                        • Insurance                                                                                   • Customer systems/control
 Other external                                                                                                         • Dependency on IT
 factors/events                                                                                                                                                        • Dependency on one/a few
 • Public image           How the business changes itself                                       Management and control structure                                         customers
 • Shareholder            •       Strategy formulation/implementation                           •   Leadership                       •   Organisational culture        • Customer’s market place
   expectations           •       Product/service development & launch                          •   Authority and responsibility     •   Internal competition               • Environmental risks
 • Capital availability   •       Merger/acquisitions/disposals                                 •   Communication                    •   Management review processes        • Sector risks
 • Hostile takeover       •       Entering new markets                                          •   Organisational design            •   Control failure
 • Catastrophic loss      •       Programme/project management
                          •       Overexpansion
The Risk Management Process – 2. Identify risks

                           Establish the
 Communicate and consult     context

                                            Monitor and review
                           Identify risks

                           Analyse risks

                           Evaluate risks

                            Treat risks
                 2. Identify Risks – Business Impact Analysis

 A meeting or series of meetings of key stakeholders – the BUSINESS

     “What are the five things that keep you awake at night?”

 What will be the effect upon the BUSINESS of ...? e.g.

     Loss of an invoicing system for 2 hours/half a day/2 days, etc.

     Inability to access a business call centre due to toxic spill, crime scene, etc.

 Prioritisation of the impacts upon the business
              2. Identify Risks - Risk Workshop

Workshop(s) sessions:                     Key stages
                                           Brainstorm exercise to
 Identification and classification         identify potential
                                            operational risks
 Measurement and priorities               Risk categorisation

                                           Evaluate ideas to
                                            produce an agreed list
                                            of risks
                                           Estimate expected
                                            impact and likelihood
                                           Establish management
The Risk Management Process – 3. Analyse risks

                            Establish the
  Communicate and consult     context

                                             Monitor and review
                            Identify risks

                            Analyse risks

                            Evaluate risks

                             Treat risks
                       3. Analyse Risks - Risk Factors

              Factor 1                                   Factor 2
    Is it going to happen to me?              What is it going to mean to
                                              me if it does?

Likelihood                                                      Impact
Uncertainty                                                     Exposure
Chance                                                          Vulnerability
Probability                                                     Effect

                             = Risk Scoring
The Risk Management Process – 4. Evaluate risks

                            Establish the
  Communicate and consult     context

                                             Monitor and review
                            Identify risks

                            Analyse risks

                            Evaluate risks

                             Treat risks
4. Evaluate Risks - Risk Categorisation/Scoring
    High                     4. Evaluate Risks - Risk Prioritisation


                               4       3
                                   6       5

                     9                                               High risk

                                                                     Moderate risk

                                                                     Low risk
            1    0

           Low                                         High
                                               4. Evaluate Risks - Risk Matrix

    Process Risks (heat map)

    (Example only – does not represent actual risk profile)

                                                                                                                                                                                                                             ro l


                                                                                                                                                                                                                stru nd cotn

                                                                                                                         en ts

                                                                                                                                                                                          eg al


                                                                                                                                                                                                                   pla c s



                                                                                                                                                                                                         ma r partne
                                                                                                                                                                                                                  itsel s

                                                                                                                                                                                    nd L

                                                                                                                                                                                     P ro

                                                                                                                                                                                                       cha bus ine
                                                                                      nta l


                                                                                                                                                eso u




                                                                                                                                                                                                          a gee ip

                                                                                                                                                                                al a




                                                                                                                                                                           a gem

                                                                                                                                                                                                          a gem
                                                                                                                                               an R


                                                                                                                                                                           rm a


                                                                                                                                                                                                          tio n
                                                                                                                                                            n cia


                                                                                                                                                                                                           th e
                                                                                                                                                                          rm a

                                                                                                   or s

                                                                                                                                ra ti

                                                                                                                  er e

                                                                                                                                           H um



                                                                                                                                                                     Ma n

                                                                                                                                                                                                      Ma n

                                                                                                                                                                                                      Ma n
                                                                                                                                                                                                    H ow
                                                                                                                            O pe



                                                                                                              O th
                                         Process Owner            mitigation   External Risks                                                                       Internal Risks                               Alliances
Strategic Management Process                 JW                       

Core Business Process
Payroll                                      KP                       
Banking Services                             KB                       
Selling/Implementation of New Services       DN                       
Account Management                           NW                       
                                             DS                       
Business Support Process
HR                                            RT                      
Finance                                       HC                      
Facilities Management                         AC                      
Procurement                                   TB                      
                                              TB                      -
The Risk Management Process – 5. Treat risks

                          Establish the
Communicate and consult     context

                                           Monitor and review
                          Identify risks

                          Analyse risks

                          Evaluate risks

                           Treat risks
                   5. Treat Risks - Strategies

                         Terminate the activity being undertaken
                         which generates risk
Terminate Reduce
                         Reduce the risk by introducing new or
                         enhancing existing controls
Pass on   Accept         Accept the risk where existing controls are
                         felt to be adequate
                         Pass on the risk to another party - for
                         example, insure against it or outsource the

5. Treat Risks - The Control Environment:
    Information Processing Objectives
                  5. Treat Risks - The Control Environment:
                 Definitions of high-level control objectives…

Confidentiality: Prevention of disclosure of sensitive information resources to
unauthorised individuals or organisations
Integrity: Prevention of accidental corruption, deliberate unauthorised
manipulation or inaccurate entry/processing of business information resources
Availability: Prevention of business information stored in or processed by systems
becoming lost or unavailable for an extended period
Effectiveness: Maximising the conformance of outputs from an activity to a
specification or need (meaning: “Doing the right things”)
Efficiency: Optimising the ratio of inputs to outputs for an activity (meaning:
“Doing things right”)
Economy: Minimising the cost of the inputs to an activity or the resources needed
to deliver a service (meaning: “Doing things cheap”)
Compliance: Avoidance of breaches of any criminal and civil law, statutory,
regulatory or contractual obligations and of any security requirements.
                    5. Treat Risks - The Control Environment:
                          A Hierarchy of Internal Control

     Internal controls can be categorised into the following:
1.   Preventive Controls – (“before the fact”)
        The most important control type since, if 100% effective (which it never is), none
         of the others would be necessary – physical barriers, passwords
          Healthcare analogy: Prophylactics (e.g. immunisation programmes)

2.   Detective Controls – (“after the fact”)
      If a preventive mechanism fails, this is the first type of control necessary to
       identify this fact prior to correction – audit trails, monitoring
        Healthcare analogy: Diagnoses (e.g. check-ups; ECGs)

3.   Corrective Controls – (“before or after the fact”)
        This type of control is designed to correct a problem – change control, overrides
          Healthcare analogy: Surgery (e.g. heart by-pass; tumour excision)

4.   Deterrent Controls – (“instead of the fact”)
        Designed to advise against certain forms of action – security policy, logon warning
          Healthcare analogy: Government Health Warnings (e.g. tobacco; alcohol)
                5. Treat Risks - Risk and Control

                                   Residual or
                                   ‘exposed’ risk



                   controlled                       Unidentified
            Risks currently
            ‘hidden’ by control
            structure but may be
            exposed by major
    IT Risk Management and Control – sources of inspiration

There are a number of industry IT security standards that can assist
compliance with governance requirements and in some cases grant a
badge to an organisation to say “We are all certified here” (!!!???) These

•   The Standard of Good Practice for Information Security

    Information Security Forum (ISF)

•   Control Objectives for Information and related Technology (COBIT)

•   Information Security Management Systems - Requirements (ISO27001)
               Achieving Information Technology Governance - ISF

    The Standard of Good Practice for
    Information Security

•   Produced by the Information Security Forum (ISF), an
    international association that co-operates in the development of
    information security and risk management best practices.
•   “The ISF's work probably represents the most comprehensive
    and integrated set of reports anywhere in the world ...”
•   Draws on the knowledge and experiences of the ISF's global
    members as well as building on other standards such as ISO
    27001 and COBIT”
•   Available as free download from
Achieving Information Technology Governance - ISF

          Breakdown of the standard:
           Achieving Information Technology Governance - COBIT

    Control Objectives for Information and
    related Technology (COBIT)

•   Developed by the IT Governance Institute (ITGI) and the
    Information Security And Control Association (ISACA)
•   Provides over 300 IT control statements defining requirements
    addressing value delivery, risk management, regulatory
    compliance and IT investment.
•   Structured in 4 domains: Planning & Organisation; Acquisition
    & Implementation; Delivery & Support; Monitoring
•   Can be integrated with other respected standards such as
    ISO27001 and ISO9000
•   Available as free download from
Achieving Information Technology Governance - COBIT

           Comprises 4 control “domains”:

            1.   Plan and Organise

            2.   Acquire and Implement

            3.   Deliver and Support

            4.   Monitor and Evaluate

        Containing 34 IT control processes, e.g.

            1.   Define a Strategic Plan

            2.   Manage Changes

            3.   Ensure Continuous Service

            4.   Monitor and Evaluate IT Performance
        Achieving Information Technology Governance - COBIT

Topic structure
        Achieving Information Technology Governance – ISO27001

    Information Security Management Systems -
    Requirements (ISO27001)

•   Developed initially as BS7799 by the British Standards Institute
•   Adopted as ISO17799 by the International Standards Organisation
•   Revised 2005 as ISO27001
•   Structured under 11 security clauses, 39 control objectives and 133
    control processes
•   Can be integrated with other respected standards such as ISO9000
    (quality), ISO14000 (environmental), ISO15000 (service delivery)
•   Not available for free !! See
     Achieving Information Technology Governance – ISO27001

1.   Security policy                            ISO27001 – High level
2.   Organisation of information security            contents

3.   Asset management

4.   Human resources security
5.   Physical and environmental security

6.   Communications and operations management

7.   Access control

8.   Information systems acquisition, development and maintenance

9.   Information security incident management

10. Business continuity management

11. Compliance
 Q. Should Risk Management and Control be considered to be
 an Art or a Science?

A.   • Art: “The expression or application of human
       creative skill and imagination”

     • Science: “The intellectual and practical activity
       encompassing the systematic study of the structure
       and behaviour of the physical and natural world
       through observation and experiment”

              (From the Oxford Dictionary of English)
        Potential principles for roles and responsibilities - Board

Business Risk                  Determine risk appetite
                               Agree risk policy and strategy
Internal Audit
                               Satisfy itself that all risks are
MDs/ Director
                                managed to an acceptable level
responsible for                Governance disclosure in
matrixed                        Annual Report
Risk Champions
All managers
and staff
   Potential principles for roles and responsibilities – Executive Group

Business Risk                 Develop risk policy and
Internal Audit
                              Analyse risk reports
MDs/ Director
                              Report risk status to Board
responsible for
Risk Champions
All managers
and staff
Potential principles for roles and responsibilities – Business Risk Manager

                              Provide support to Executive
                               Group to develop risk policy and
Executive                      strategy and analyse risk reports
                              Analyse overall risk portfolio for
Business Risk                  accumulations and
Manager                        interdependencies
Internal Audit                Assist businesses and matrixed
                               functions to identify risks and
MDs/ Director                  establish treatment strategies
responsible for               Set standards for risk reports
matrixed                      Maintain Risk Management
function                       Information System
Risk Champions                Co-ordinate with other risk
All managers                   specialists
and staff                     Provide additional services (eg
                             Role is to facilitate the risk management
                                 process and not to manage risks
                               project risk workshops) on request
    Potential principles for roles and responsibilities – Internal Audit

Executive                      Quality assurance of risk
Group                           management process
Business Risk                  Test compliance at all relevant
Manager                         levels
Internal Audit                 Alongside Business Risk Manager
Businesses                      promote the principles of self-
MDs/ Director                   assessment of risk and control
responsible for                 status
matrixed                       Advise businesses in design of
function                        control portfolio and sign-off
Risk Champions                  adequacy
All managers                   Scope audit work on risk severity
and staff                       to the business
                               Undertakes special investigations
                                upon request
     Potential principles for roles and responsibilities - Directors

Executive                      Ensure adequate risk management
Group                           process is in operation
Business Risk                  Report risk profile to the
Manager                         Executive Board
Internal Audit                 Obtain assurance that controls
Businesses                      relied upon are working effectively
MDs/ Director                   and sign-off controls assurance
responsible for                 statement
matrixed                       Matrixed functions also to report
function                        on risk profiles and effectiveness
Risk Champions                  of controls to the businesses
                                which “sub-contracted” to them
All managers                Can consult with Business Risk Manager or
and staff                     Internal Audit but remains responsible
  Potential principles for roles and responsibilities – Risk Champions

                             Responsible to MD for operation of
Executive                     risk management process
                             Communicates risk management
Business Risk                 policies and procedures to all
Manager                       management and staff
Internal Audit               Acts as key contact point for
Businesses                    managers and staff to report risks
MDs/ Director                 identified and proposed action
responsible for              Liaison between business/matrixed
matrixed                      functions re “sub-contracted”
function                      risks
Risk Champions               Liaison with risk management
All managers                  specialists in “2nd line of defence”
and staff
Potential principles for roles and responsibilities – Managers and Staff

                               Management of risks within
Business Risk                   own sphere of operation in
                                accordance with risk
Internal Audit                  management policies and
Businesses                      procedures
MDs/ Director                  Report risk profiles to Risk
responsible for
matrixed                        Champion
Risk Champions
All managers
and staff

To top