Building Resiliency Across the Value Chain The Bigger Picture

Transcription

1 Building Resiliency Across the Value Chain The Bigger Picture

2 DISCLAIMER This presentation is for informational purposes only. This document contains certain statements that may be deemed forward-looking statements" within the meaning of the Private Securities Litigation Reform Act of Forward-looking statements are based on assumptions and assessments made by us in light of our experience and perception of historical trends, current conditions and expected future developments. Actual results and timing of events may differ materially from those contemplated by the forward-looking statements due to a number of factors, including regional, national or global political, economic, business, competitive, market and regulatory conditions. Any reproduction, retransmission, or republication of all or part of this document is expressly prohibited without the permission of RSA.

3 Presenters Patrick Potter, GRC Strategist, RSA Patrick has spent over 25 years leading internal audit, business resiliency, strategic planning, process improvement and related activities at Fortune 500 companies in both practitioner and consulting roles. He is currently a GRC Strategist and subject matter expert for RSA, where he oversees the direction of the RSA Archer Business Resiliency solution Tamara Zinn, Senior Manager, Business Resilience Office, Voya Financial Tamara has been a practicing Business Resilience Professional for Eleven Years with a background in Operational Risk Management. She is currently a Senior Manager for Voya Financial and a member of the International & Connecticut Association of Continuity Professionals and is a DRI Certified Business Continuity Planner

4 Value Chain Understanding the parts, dependencies and needs Gap of Grief Risks to the business

5 Value Chain Products and Services People Systems Processes Data Suppliers

6 Gap of Grief Technology risk perspective Business risk perspective What is the important data? Where is the important data? What are the most critical applications? How important is this part of the infrastructure? What does this security event impact? Where are we vulnerable? Who are the 3rd parties the business rely on? What happens if IT services are disrupted? What part of the business strategy is the most critical? Where are our biggest risk areas? What is our risk appetite and tolerance? What are our regulatory obligations? What are the most valuable pieces of our business? How bad could it be? Are we effectively managing our risks to achieve our objectives?

7 The Wedges in the Gap Outdated reporting Manual processes Lack of ownership Information silos Inconsistent controls Limited risk visibility

8 lead to Risk in the Business Inaccurate insights & misinformation High costs & inefficiency Unresolved issues Disconnected data & lack of context Holes & gaps Poor business decisions & missed opportunities

9 Business Resiliency vs. Recovery The Recovery perspective The Resiliency perspective Multiple Disparate Communication and Decision Making Frameworks Interactive Communications and Clear Decision Making Framework Performs Exercises by Discipline Groups or Applications Regularly Performs Integrated Exercises Looks to Assess Fault Learns from Mistakes Waits on External Influences or Events as a Call to Action Regularly Evaluates Risks and Impacts Efforts are Primarily Focused on Site or Departmental Levels Efforts are in Relationship to Risk Appetite, Interdependencies and Evolving Business Reactive Proactive

10 The Great Divide People Systems Processes Data Suppliers Business Continuity Disaster Recovery

11 Bridging the Divide People, Process and Suppliers Systems, Data and Suppliers Business Continuity Management Team Disaster Recovery Management Team Crisis Management (Communications & Decisions) Emergency Response Teams (Triage)

12 Cultivate Essential Partnerships Business Owners Legal/Compliance Vendor Management Facilities Management Human Resources Auditors/Regulators Industry Peers and Associations Operational Risk Management

13 Simplified Resiliency Stakeholder Ownership Easy to Participate Actionable Live Analysis

14 Business Resiliency and Operational Risk Risks in the business Alignment across the Three Lines of Defense Maturity Model

15 Risk in the Business Inaccurate insights & misinformation High costs & inefficiency Unresolved issues Disconnected data & lack of context Holes & gaps Poor business decisions & missed opportunities

16 A Strategy to Manage Business Risk Define & enforce risk ownership through Accountability Cross business lines & organizational boundaries for Collaboration Consolidate data and enable risk Analytics & Visibility Automate processes for Efficiencies

17 Operational Risk Management RESPONSIBILITY AUDIT CAE X CEO, CRO, ERM CHIEF CREDIT OFCR ORM STRATEGY, FINANCIAL HEALTH X X CREDIT X X LIQUIDITY, MARKET, FX X X PEOPLE, TALENT MGMT X X X ALL ERRORS & FRAUD X X ERM FINANCIAL REPORTING, SOX X X X LITIGATION MGMT X X X ORM CFO, TREASR CHRO CLO CCO CISO BCM INFORMATION SECURITY X X X BUSINESS CONTINUITY, DR X X X VENDOR RM 3RD PARTY RISK & PERF X X X X X X X X X X REGULATORY COMPLIANCE X X X X X X X X X X REPUTATION X X X X X X X X X X

18 Three Lines of Defense

19 Take Command of the Journey Siloed Streamline compliance, Build business context & reporting Managed Expand risk focus, Improve analysis & metrics The Maturity Journey Advantaged Connect risk and the business with cross functional processes Transition Transform Risk Business Risk Meet Compliance reuirements Address known & unknown Risks Enable new business Opportunities

20 Inspire everyone to own Risk

21 Thank