What You Don t Know Will Eventually Hurt You The Evolving Role of Enterprise Risk Management (ERM) in Successful Organizations

Transcription

1 What You Don t Know Will Eventually Hurt You The Evolving Role of Enterprise Risk (ERM) in Successful Organizations Jeff Owen Senior Consultant The Rochdale Group 1

2 Jeff Owen, Senior Consultant 16 years in the financial industry 9 years working with credit unions a member for life Lead a variety of client engagements, including enterprise risk management implementations and support, mergers, core conversions, strategic planning, compliance related engagements, vendor selection and implementations, process re engineering and member and market demographic studies Prior to Rochdale, Jeff was a member of management at the Federal Reserve Bank of Kansas City, gaining a broad perspective of the financial services industry, as well as the Bank s operations and administrative functions 3 Agenda Evolution of Business and IT IT Risk Overview Problem Definition Enterprise Risk (ERM) What s Next 4 2

3 EVOLUTION OF BUSINESS AND IT 5 Evolution of IT and Business Risks Toy (Look at what this can do) Tool (Look at what this can help me do) Transformational (Look at what this allows us to do) Perceived reliance on technology stuff just needed to work IT was an afterthought only cared when something didn t work Advent of Internet Internet was about sharing information, not protecting it Internet of Content: , information, graphics and entertainment Recognized reliance upon technology Introduction of traditional IT threats (viruses, malware, misuse, etc.) Data transfer Internet of Services: e commerce, e productivity Internet of People: Skype, Facebook, YouTube, Twitter, etc. Broad view and requirements of IT security (information assurance, disaster recovery, business continuity, security of data, etc.) Internet of Everything data created, transmitted and stored Integration of IT with nearly all business practices Technology is now a competitive advantage 6 3

4 Business Transformation In 1992, when the original COSO Internal Control Integrated Framework ( 1992 Framework ) was released, businesses operated in a much different environment than today There were less than 14 million Internet users worldwide in 1992, compared to nearly 3 billion today America Online (AOL) for Microsoft DOS had been recently released Microsoft Internet Explorer did not exist The most popular cell phones (if you were lucky enough to have one) were bag phones Telephone and fax were the predominant ways businesses communicated 7 Business Transformation 8 4

5 More than just the CORE Governance Physical Security Compliance Loans Planning HR Risk Data Security IT Projects Finance Inventory Transactions CRM Sales Communication Service Marketing 9 Vendor reliance Credit unions average 200 vendor relationships, each of which leverages a number of vendor relationships, each of which leverages a number of vendor relationships Who is accountable for data security? 10 5

6 IT CONCERNS 11 Inherent Risks Data breach by external source Inadequate patch security Ineffective data management at Supply chain risk or vendor vendors underperformance Virus/malware disrupts member Theft of IT equipment and devices access or system performance Physical breach of data center Insufficient IT controls/governance Destruction of data center Internal data breach (intentional) Testing and training environments Internal data breach (unintentional) being treated as if they hold tier 2 Inappropriate use of system and data data by vendors Operator job processing errors Operating system configuration error 12 6

7 Unanticipated IT related black swan event Lack of documented processes Data breach by external source Virus or malware in credit union network Insufficient IT controls/governance Inappropriate use of system and data by vendor Failure to involve IT upfront in technology decisions Errors in running daily processes Risk of employees circumventing Residual Risks security protocols Lack of common data exchange platform Poor service from vendors Theft of IT equipment and devices Human error Lack core database access controls (inappropriate permissions) Employee/third party data theft Inability to invoke appropriate levels of controls (e.g., dual control in core) Personnel constraints (number or expertise) 13 U.S. Based Financial Institution Key Risks 14 7

8 Business Security Risks Disgruntled employees Careless or uninformed employees Mobile devices (BYOD) Cloud applications Unpatched or unpatchable devices Third party service providers Source: breach/6 biggest business security risks and how you can fight back.html 15 Broader IT Risks 2015 Black Hat Attendee survey Most enterprises are not spending their time, budget, and staffing resources on the problems that most securitysavvy professionals consider to be the greatest threats Nearly three quarters (73 percent) of top security professionals think it likely that their organizations will be hit with a major data breach in the next 12 months but they won't have enough time, money, or skilled staff to handle the crisis 16 8

9

10

11 PROBLEM DEFINITION 21 Ongoing Concern How do we ensure security defense strategies and resources are adequately prioritized against most serious risks? How we do address the fact that the people who walk the walls and guard the doors are not always confident in their ability to keep online bad guys out of systems and data? 22 11

12 Ongoing Concern How do we account for organizational dysfunction in IT prioritization efforts? Lack of effective oversight and accountability Ineffective organizational prioritization process / competing priorities Organizational and functional silos Lack of visibility / transparency Disjointed strategies Poor integration Duplicative resources and activities Increasing complexity Fragmentation Increased expense Decreased efficiencies 23 Ongoing Concern How do we account for lack of continuity around IT related requirements in IT prioritization efforts? Expense Application Development Special Projects Penetration Testing Laws / Regulations Vendor Incident Service Level Agreements Access Policy Vendor Selection and RFPs Performance PII Data Classification Standards End User Training Project Risk Assessments Change Business Impact Analysis 24 12

13 Problems Defined While businesses and reliance on IT have evolved, communication channels and risk management practices, as a whole, have not Protecting all data is not possible, particularly considering how an organization s objectives, processes and technology continue to evolve to support operations and member needs and wants Cyber attackers continue to evolve, finding new ways to exploit weaknesses As a result, the reality is that cyber risk is not something that can be avoided; instead, it must be managed Using a lens of what data is most important to an organization, management must invest in cost justified security controls to protect its most important assets 25 In Summary Organizations are often managed through inefficient, nontransparent, self sustaining silos, with individual departments and business owners continually battling for organizational resources all in an effort to further their own pursuit of sustainability The lack of timely, accurate, integrated intelligence impedes organizations from maximum effectiveness Ongoing challenges between IT and business units are often misaligned around competing priorities Unfortunately, this all happens at the expense of members, 26 organizational value and undermanaged risk 13

14 ENTERPRISE RISK MANAGEMENT (ERM) 27 ERM Objectives Identify and manage a broad array of threats, risks and opportunities surrounding the achievement of goals and objectives Establish a structure and process that engages personnel across the organization and creates space to identify, communicate and prioritize risks and opportunities Provide senior leadership with key information for risk related decisions and allocation of resources Develop and implement appropriate risk response plans through assigned liaisons Encourage responsibility of all personnel to incorporate a balanced risk reward analysis in everyday activities Maximize opportunities Foster a collaborative, entrepreneurial and innovative environment 28 14

15 ERM Objectives As we become more confident and capable of understanding and managing the risks of today, the better positioned we are to navigate, exploit and leverage the opportunities and uncertainties of tomorrow. 29 Enterprise Risk Improved organizational decision making, prioritization and overall performance through collection and communication of better, more timely information Involves the methods and processes to identify, measure and manage risks and/or seize opportunities related to the achievement of the organization s goals It s an ongoing process not a one time project Not about compliance, policies or risk elimination 30 15

16 Purpose of ERM 31 Evolution of ERM Enterprise Risk Technology Reputation Strategic Transaction Financial Risk Compliance Credit Risk Market (Interest Rate/Liquidity) Market (Interest Rate/Liquidity) Credit Credit Credit 32 16

17 Evolution of Risk Traditional Risk Fragmented Negative Reactive Ad hoc Cost based Narrow focus Functionally driven (silo d) Enterprise Risk Integrated Positive Proactive Continuous Value based Broad focus Process driven 33 Silo based approach ERM approach Strategic Strategic Reputation Transaction Reputation Transaction Compliance Interest Rate Compliance ERM Interest Rate Liquidity Credit Liquidity Credit 34 17

18 Internal Lines of Defense Line of Risk Internal Business Audit Owns and manages risks Establishes appropriate risk processes and programs Identifies and escalates risk issues Identifies new opportunities Sets risk limits Quantifies and monitors risks Challenges risks and mitigating actions Aggregates risks across organizational boundaries Validates risk programs Reports on risk management effectiveness 35 Considerations in Shaping Your ERM Program 1. Linkage to strategy 2. Board/senior management commitment 3. ERM function 4. Employee engagement 5. Regulatory communication 6. Internal audit involvement 7. Risk assessment process 8. Risk repository/reporting 9. Third party assistance 36 18

19 Key Questions Requiring Answers Source: COSO in the Cyber Age; Deloitte 37 WHAT S NEXT? 38 19

20 A continual evolution toward GRC A system of people, processes and technology that enables an organization to: Understand and prioritize stakeholder expectations Set business objectives congruent with values and risks Operate within legal, contractual, internal, social and ethical boundaries Provide relevant, reliable and timely information to stakeholders Enable the measurement of organizational performance and effectiveness OCEG 39 IT GRC Set of coordinated activities with a goal of minimizing the IT factors that might disrupt or undermine achievement of business objectives, and maximizing role of IT in achievement of business objectives Governance Leadership, culture, structures, policies, standards and practices that define how IT is directed and managed Risk Compliance Adherence to applicable laws, regulations, policies, contracts and other mandates 40 20

21 Life cycle of GRC adoption Source: KPMG The Convergence Evolution 41 Your GRC controls are like the brakes on a car, says Nick Hirons, Vice President and Head of Audit and Assurance at GlaxoSmithKline. The better the quality of the controls, the more effective the brakes. And the more effective the brakes, the faster the business can go

22 GRC and Beyond: Internal Intelligence System What might it look like Internal core Organizational spine 43 Questions to consider What is our process for presenting an overall risk profile of the credit union? How do we update our risk profile over time to ensure we always have an upto date understanding of our risks? How do we know if our credit union is getting riskier or less risky over time? What are the top ten risk exposures to our credit union and what are we doing to mitigate those exposures? How do we ensure we are quickly identifying emerging risk landscape and giving it the attention and resources it deserves? How can we be confident that staff is vigilant in detecting and actively working to mitigate risks? 44 22

23 Questions to consider How do we know that internal and external audit personnel are focusing on the areas that will drive the greatest value for the credit union? How can the board be certain that it is receiving objective information on the credit union s overall health and is not only hearing what senior management wants to relate? How can we be sure that our strategic planning is really addressing the key issues facing the credit union today? How is the credit union obtaining the board s direction in setting risk appetite and monitoring performance against that appetite? What are the longer term factors that could have significant impact on our credit union and what are we doing to ensure we are taking appropriate steps to address those issues? 45 Thank You! Jeff Owen The Rochdale Group jowen@rochdalegroup.com 46 23