Version 2018.1 Driving Accountability Through An Effective Risk Register ISACA Birmingham Chapter March 20, 2018 - Lunch & Learn Chris Womack, CIA, CISA, GCCC Director Information Security Governance BBVA Compass
Current State Risks continue to grow in the IT and Cybersecurity Environments IT Auditor are charged to do more with less resources Unfortunately it is difficult to get past the low-hanging fruit findings into something more meaningful.
Pain Points 1 Repeat audit findings 5 Known policy / procedure gaps 2 Technical debt 6 Lack of traction to resolve issues 3 Excessive vulnerabilities 7 Legacy mindsets 4 Permanent exceptions
Target State Focus on more meaningful issues: Deliver valuable issues / reports Propel process maturity Drive individual accountability
Create a Risk Register
Path Forward Create a Risk Register: Design: Identify Components Build: Create Register / Process Run: Drive Accountability
Identify Components RACI Criteria: Types of Risks Analysts PMO: Project Risks Subject Matter Experts (SMEs) InfoSec: CIA of Information Assets Decision Making Authority (DMAs) IT: Governance of Enterprise IT Risk Treatment Owners (RTOs) Working Group Workflow Stages Identification Analysis Steering Committee Technology Decision Making GRC Tools Treatment Automation Monitoring Workflows Validation Notification Closure Reporting
Path Forward Create a Risk Register: Design: Identify Components Build: Create Register / Process Run: Drive Accountability
Process
Identification 01 Risks can be identified from multiple sources in the environment. Key Points for Success: Clear, Consistent Criteria Defined Sources Decision Required
Analysis 02 Risks of all sizes can affect an organization. This stage is essential for determining the potential impact. Key Points for Success: Know Your Audience Factually State the Risk (WCGW) No Control Reversal Qualify & Quantify the Risk Simplify Ranking
Decision Making 03 The Decision Making Authority (DMA) should be provided the appropriate amount of information to make a well-informed decision. Key Points for Success: Thorough Analysis Appropriate DMA Understand DMA Decision / Rationale Avoid Surprises
Risk Treatment 04 The Risk Treatment Owner (RTO) should be held accountable for providing a plan that appropriately addresses the risk. Key Points for Success: Plan with Dates & Milestones Short & Long-Term Treatment Routine Updates Accurate Target Dates
Validation 05 Risk validation should reflect that the treatment was successful in fulfilling the treatment decision. Key Points for Success: Validation Preparation SME Communication Demonstrable Evidence
Closure 06 Once the risk has been appropriately addressed, it can be closed. This stage can be used to reflect on the efficiency and effectiveness of the process. Key Points for Success: Perform Quality Control Calculate Measurements & Metrics Prepare Reporting Continual Process Improvement
Monitoring 07 Monitoring is a time bound stage for a risk. The timing can be set by risk, but should not exceed one year. Key Points for Success: Routine Interim and Periodic Updates Ensuring Progress Reporting Changes in Constraints
Path Forward Create a Risk Register: Design: Identify Components Build: Create Register / Process Run: Drive Accountability
Visibility Accountability Effectiveness In order to be effective, the products of the process must be seen by appropriate levels of management: Risks accepted; Target dates changed; and Validation failed. Quarterly Leadership Meetings - Executive Management Monthly Working Groups - Management Weekly Register Reviews - Analysts
Recap: Driving Accountability Through An Effective Risk Register 1. 2. 3. 4. 5. Pain Points Risk Register: Components Risk Register: Process Risk Register: Effectiveness Target State: Achieved
Thank you. Chris Womack, CIA, CISA, GCCC Director Information Security Governance BBVA Compass christopher.womack@bbva.com