Driving Accountability Through An Effective Risk Register

Similar documents
Project Remedies Solution Set s Ability to Transform your IT Organization. A Selection of Use Cases from Project Remedies Inc.

Internal Controls. Presented by Donna Maskil-Thompson SPP RE Workshop 03/15/2016. Property of KC Board of Public Utilities - PUBLIC

Everything You Need to Know About PMOs

THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM

Building an AppSec Program from Scratch. Chris Pfoutz, CISSP, GWAPT Manager Application Security

CREATING ORDER FROM CHAOS: METRICS THAT MATTER

IT MANAGER - BUSINESS & TECHNOLOGY APPLICATIONS (12235) ( )

Maximize Value, Adopt a Flexible Approach to Auditing Major Projects

egovernment Case Management Policy Automation

IT MANAGER - BUSINESS & TECHNOLOGY APPLICATIONS (12235) ( )

METRO MANAGEMENT RESPONSES TO FISCAL 2009 FISCAL 2012 STATE REQUIRED PERFORMANCE AUDIT OF THE METROPOLITAN TRANSIT AUTHORITY OF HARRIS COUNTY, TEXAS

An Oracle White Paper December Reducing the Pain of Account Reconciliations

KPMG s Major Projects Advisory Project Leadership Series: Stakeholder Management and Communication

ActionProgram Manager Plus

Panther Digital Marketing Reasons Why Businesses are Hiring Digital Marketing Consultants in 2018

Implementation Tips for Revenue Recognition Standards. June 20, 2017

Does Audit Make us Secure? A practical response

GUIDE Scaling Social Media. The Path to Scaling Social Media Starts with Executive Buy-in

RSA ARCHER IT & SECURITY RISK MANAGEMENT

Incident Management Process

Keys to Meaningful Measurement Systems

Revised IT Governance Charter Toolkit

Risk & Continuous Controls Monitoring: How to implement issue remediation workflows the business will love

Connecting the Dots: Your Role in Corporate Performance Management Part 2 Analytics Where Audit Meets Performance Stephen Wang Ernst & Young

PPM Assessment. Analyze Your PPM Practices In-Depth for Systematic Improvement

Resources Guide. Explore our 1,000+ Member-Only Resources: Research Reports, Training Courses, Tools & Templates

Enterprise Application Integration and its Reusable Assets

Winning Ways With Data Analytics

Reduces the risk of downtime caused by infrastructure failure.

TxDOT s Compass Project. September 29, 2009

The Secrets of Successful Knowledge Management

RSAM User Conference. Janice Sarver Karen Bulawa InfoSec Risk Management September 25, 2013

Five Tips: How to measure the value of your internal audit department

Incident Management Process

Audit the Future: Using Audit Analysis to Predictively Manage Future Risks. Dan Zitting, CPA, CISA, GRCA Chief Product Officer, ACL

The Business Value of People Analytics. Lexy Martin, Principal Research and Customer Value Visier

Establishing Enterprise Architecture Capability at Group Level within a Conglomerate

Agile Risk Assessment Reinventing RCSAs

WORK PLAN AND IV&V METHODOLOGY Information Technology - Independent Verification and Validation RFP No IVV-B

Sales & Operations Planning: An Introduction

PINK ELEPHANT THOUGHT LEADERSHIP WHITE PAPER. Identifying & Implementing Quick Wins

Automation of Enterprise IT with ManageEngine. Mohamed Nayaz, Director, IT Risk & Assurance Services 7 th March 2012

Design & Development of a Schedule Management Plan. Session #PRJ10

Project Portfolio Management Assessment

Senior IT Auditor. (SWAP Partners and Clients) Role Profile

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

High Impact Internal Audit Leadership. Contents are subject to change. For the latest updates visit

INTELLIGENT IAM FOR DUMMIES. SecureAuth Special Edition

Measuring and Evaluating an Agile Transformation 2017 ECOLOGIK CONSULTING GROUP LLC

ISACA All Rights Reserved.

White Paper. Five Steps to a Faster Month-End Close

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

The IIA s Global Strategic Planning. European Session Advance Material and Worksheet

Purposing the entirety of COBIT5 for the Assurance Professional. Ross E. Wescott MA CISA CIA CCP CUERME Wescott & Associates

THE INSIDE STORY DISCUSSING THE HOT TOPICS FROM ORACLE LICENSE MANAGEMENT OPEN WORLD 2016

CIA EXAM CONTENT. Part 1 :The Internal Audit Activitys Role in Governance Risk and Control

PROJECT STANDARDS AND GUIDELINES

Best Practice Requirements for Successful Metrics Initiatives

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

Best Practices for EA and PPM Integration Toward Improved Business Value Outcomes

Data rich governance. Three keys to leading consumer data and information practices. kpmg.com

Welcome. Mapping the BA s Stakeholders in a DevOps Style Workflow

CHANGE MANAGEMENT IN PROCUREMENT TRANSFORMATION. Bloomberg. Page 1

The Value of Continuous Accounting for Business. White Paper. Establishing the Foundation for a Strategic Finance Organization.

The CIO s Guide to Mobilizing the Enterprise

SOLUTION BRIEF RSA ARCHER AUDIT MANAGEMENT

FORECASTING & REPLENISHMENT

THE IMPORTANCE OF ENGAGEMENT: HOW AESICA CRAMLINGTON DELIVERED A STEP CHANGE IN SITE PERFORMANCE

Welcome to the webinar. We will begin shortly.

Unemployment Compensation Project Independent Verification and Validation Monthly Assessment Report Summary. period ending 30 September 2010

A PMO Value Model. For Strategic Execution and Value Delivery P M. Robert Frost PMP, PMOC. 4/19/2016 PMO Value Model 2016 Robert Frost 1

M3 Playbook Guidance. 1.1 Establish Initial Customer PMO and Processes. Human Resources (HR)/Staffing Plan

SOLUTION BRIEF RSA IDENTITY GOVERNANCE & LIFECYCLE SOLUTION OVERVIEW ACT WITH INSIGHT TO DRIVE INFORMED DECISIONS TO MITIGATE IDENTITY RISK

STREAM Integrated Risk Manager Take control of your GRC

3 Components to High-Performing Healthcare Facilities: Data, Communication & Engagement

Reports to: Achievement Simplicity Integrity We are focussed on creating positive outcomes for each other

Here are the snapshots of the changes recorded in the three-month period

APM Health Classic from GE Digital Part of our On-Premise Asset Performance Management Classic Solution Suite

Enterprise Data Strategy and Governance

ISO 9001:2000 Drives Process Changes at Siemens

EXECUTIVE ERP. EVALUATION AND INVESTMENT ROADMAP Developed for the Modern Business

Main Title Header Here

SOLUTION BRIEF RSA ARCHER PUBLIC SECTOR SOLUTIONS

Reinforcing the Three Lines of Defense SAP software for risk management, process control, and audit management

LAVASTORM lavastorm.com. Five Technologies that Transform Auditing to Continuous Business Improvement

POSITION DESCRIPTION. IS PMO & Analysis Services Lead. PMO & Analysis Services Team Lead #

BRIDGING. the Gap from Transformational Strategy to Operational Implementation

EPMO Achieving Leagility through Implementing Lean and Agile An Organizational Case Study. Session #

TalentGuard Overview. The Predictive People Development Company

Project Delivery Excellence

1. Balance Tech Debt. 2. Automate Security. 3. Provide Self-Service Resources. 4. Implement Success Metrics. 5. Automate Continuous Delivery

Implementing Reliability Excellence By Randy Heisler, CMRP As appeared in the February 2005 issue of Maintenance Technology

KPMG Intelligent Diligence An automated approach to KYC. kpmg.com/uk

Key Questions for Your Functional Partners. Improving Cross-Functional Collaboration in Compliance Program Activities

PERFORMANCE MANAGEMENT IN THE CITY OF BOSTON. Stefanie Costa Leabo Director of Performance Management, City of Boston

Writing an Audit Finding. Danny M. Goldberg Professional Development Practice Director

Continuous Process Improvement Organizational Implementation Planning Framework

BBVA Compass Web Team Gains Back 20+ Hours A Week With Workfront

Implementing Benefits Realization at Farm Credit Canada. Jacob van der Merwe Project Portfolio Manager November 8, 2011

SPHERA CUSTOMER CASE STUDIES. ADVANCING OPERATIONAL EXCELLENCE A focus on Incident Management

Transcription:

Version 2018.1 Driving Accountability Through An Effective Risk Register ISACA Birmingham Chapter March 20, 2018 - Lunch & Learn Chris Womack, CIA, CISA, GCCC Director Information Security Governance BBVA Compass

Current State Risks continue to grow in the IT and Cybersecurity Environments IT Auditor are charged to do more with less resources Unfortunately it is difficult to get past the low-hanging fruit findings into something more meaningful.

Pain Points 1 Repeat audit findings 5 Known policy / procedure gaps 2 Technical debt 6 Lack of traction to resolve issues 3 Excessive vulnerabilities 7 Legacy mindsets 4 Permanent exceptions

Target State Focus on more meaningful issues: Deliver valuable issues / reports Propel process maturity Drive individual accountability

Create a Risk Register

Path Forward Create a Risk Register: Design: Identify Components Build: Create Register / Process Run: Drive Accountability

Identify Components RACI Criteria: Types of Risks Analysts PMO: Project Risks Subject Matter Experts (SMEs) InfoSec: CIA of Information Assets Decision Making Authority (DMAs) IT: Governance of Enterprise IT Risk Treatment Owners (RTOs) Working Group Workflow Stages Identification Analysis Steering Committee Technology Decision Making GRC Tools Treatment Automation Monitoring Workflows Validation Notification Closure Reporting

Path Forward Create a Risk Register: Design: Identify Components Build: Create Register / Process Run: Drive Accountability

Process

Identification 01 Risks can be identified from multiple sources in the environment. Key Points for Success: Clear, Consistent Criteria Defined Sources Decision Required

Analysis 02 Risks of all sizes can affect an organization. This stage is essential for determining the potential impact. Key Points for Success: Know Your Audience Factually State the Risk (WCGW) No Control Reversal Qualify & Quantify the Risk Simplify Ranking

Decision Making 03 The Decision Making Authority (DMA) should be provided the appropriate amount of information to make a well-informed decision. Key Points for Success: Thorough Analysis Appropriate DMA Understand DMA Decision / Rationale Avoid Surprises

Risk Treatment 04 The Risk Treatment Owner (RTO) should be held accountable for providing a plan that appropriately addresses the risk. Key Points for Success: Plan with Dates & Milestones Short & Long-Term Treatment Routine Updates Accurate Target Dates

Validation 05 Risk validation should reflect that the treatment was successful in fulfilling the treatment decision. Key Points for Success: Validation Preparation SME Communication Demonstrable Evidence

Closure 06 Once the risk has been appropriately addressed, it can be closed. This stage can be used to reflect on the efficiency and effectiveness of the process. Key Points for Success: Perform Quality Control Calculate Measurements & Metrics Prepare Reporting Continual Process Improvement

Monitoring 07 Monitoring is a time bound stage for a risk. The timing can be set by risk, but should not exceed one year. Key Points for Success: Routine Interim and Periodic Updates Ensuring Progress Reporting Changes in Constraints

Path Forward Create a Risk Register: Design: Identify Components Build: Create Register / Process Run: Drive Accountability

Visibility Accountability Effectiveness In order to be effective, the products of the process must be seen by appropriate levels of management: Risks accepted; Target dates changed; and Validation failed. Quarterly Leadership Meetings - Executive Management Monthly Working Groups - Management Weekly Register Reviews - Analysts

Recap: Driving Accountability Through An Effective Risk Register 1. 2. 3. 4. 5. Pain Points Risk Register: Components Risk Register: Process Risk Register: Effectiveness Target State: Achieved

Thank you. Chris Womack, CIA, CISA, GCCC Director Information Security Governance BBVA Compass christopher.womack@bbva.com

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback