Digitaliseren van risico management

Transcription

1 Digitaliseren van risico management Drs. G.M.E. Vervest RC 1

2 Topics Why does it matter Managing (cyber) risk Digitization of risk management - examples Impact and role of finance professional Questions & discussion 2

3 Why does it matter 3

4 Disruption Vulnerability Data protection Strategy Opportunities Forward looking Return on controls Organization Cyber security Regulation Aggravates resource constraints Management Boards to own Cyber Transparency New value chains Global Competition Digitization Interconnectivity Cost discipline Vocal and well informed Stakeholders Better management of risks Consumers in control Robotic Process Automation Data Management & Quality 4

5 functions are challenged 01 Consistency of Assessments 06 How to resource all activities 07 Evaluating value of technology 5

6 Managing (cyber) risk 6

7 The landscape Many firms struggling to understand how they should tackle the threat from cyber attacks, and are unsure on just how seriously they should take the issue is it hype, is it the price of doing business in a digital world, or is it a fundamental threat to the future of their business. Senior leaders are looking to their IT leadership to provide clarity on the scale and impact of cyber risk on the business, while providing confidence that investments in cyber security are well targeted and effective in addressing that risk. 7

8 Cyber security risk management Current practices Security IT responsibility Judgemental risk assessments At best present looking Linked to cost/financial impact Single target asset Heat map Quantification not feasible And if it is: expensive, complex, time consuming, impossible to keep current Limited discussion and risk based (remediation) actions Silo-ed; focus on compliance Cost of control often not included in decision to mitigate Resilience Better practices Business and Board responsibility Data driven risk insights Forward looking Linked to strategy and customer Value chain/end to end scenarios Loss Exceedance Curve Simulations Threat campaigns reflecting different types of attacks What if analysis and risk appetite discussions Embedded; focus on risk and opportunities Cost of control taken into account 8

9 Cyber security value chain assessment Individual assets Laptops Sampling all possible paths Laptops Mobile BYOD Retail Zone Manufacturing Zone Office Zone Retail Zone Crown Jewels Crown Jewels Secure Zone SaaS Zone Secure Zone IaaS/PaaS Zone Impact likelihood determined by Business Impact Assessments 9

10 Cyber security quantification! There is a highly likelihood that event X could happen with a medium impact There is 80% likelihood that event X could happen with an impact greater than 2mln. After mitigation (as inherent risk > risk appetite): There is 15% likelihood that event X could happen with an impact greater than 2 mln. 10

11 Digitization of risk management

12 management digitization examples (1) Identification/ Discovery (Projects, Shadow IT, other) Assessment (Impact, L&R, Exposure) Policy Implement (Auto Control Selection) (Tracking) Deviations Appetite Continuous Controls Modelling Monitoring Committee Sessions Visuals & Dashboards Radar Operational Environment Actors Methods Targets Exposures 12

13 management digitization examples (2) Identification/ Discovery (Projects, Shadow IT, other) Assessment (Impact, L&R, Exposure) Policy Implement (Auto Control Selection) (Tracking) Deviations Appetite Continuous Controls Modelling Monitoring Committee Sessions Visuals & Dashboards Radar Operational Environment 13

14 management digitization example CCM1 Identification/ Discovery Assessment Policy Implement (Impact, L&R, (Auto Control (Projects, Shadow Exposure) Selection) (Tracking) IT, other) Deviations Appetite Continuous Controls Modelling Monitoring Committee Sessions Visuals & Dashboards Radar Operational Environment

15 Impact (on) and role of finance professional

16 What this means for risk functions Trends Assignment Challenges Continued cost discipline Accelerated through simplification and outsourcing functions to take on more responsibilities towards support of 1 st line digitization is a small part of the annual budget Strategic alignment required across multiple functions and multiple layers Regulatory pressure up Accelerated by through new technologies Develop analytical skills while empowering risk thinking Progress is challenged by legacy IT and poor data professional requires a different skill set types evolving at increasing pace Accelerated through increased agility Fundamental digitization and integration Embracing digitization opportunities for risk management requires a different (organizational) culture and mindset Don t automate something that can be eliminated, don t delegate something that can be automated or streamlined. Otherwise, you waste someone else s time instead of your own 16

17 To finish. Organizations cope with Organizations required to Use digitization to Disruptive and highly uncertain environment Managing risks in siloes, with very limited aggregation and transparency Lack of control awareness in the business (e.g. missing the added value) Establish business ownership to manage risks Determine risk appetite (and balance the potential loss versus cost of control) Change mind set Have risk professionals who take a more disciplined approach to (cyber) risk Enable a risk based mind set Drive risk appetite discussions Reduce the cost of control Measure the effectiveness of internal control and risk management (integrated assurance) Focus scarce human resources on activities requiring judgement, interaction and which generate most value add 17

18 Thank you Questions 18