Operational Risk in Business

Size: px

Start display at page:

Download "Operational Risk in Business"

Rudolf Howard
5 years ago
Views:

1 Operational Risk in Business Gavin Dyche Manager, Risk 8 March 2017

2 SESSION OVERVIEW 1. JLT Overview 2. Risk & Risk Management 3. Strategic & Operational Risk 4. Business Continuity 5. Fraud & Cyber 2

3 KEEP AN EYE OUT 3

4 1 WHO ARE JARDINE LLOYD THOMPSON

5 JLT OVERVIEW When talking about the start of the JLT Community Series What is JLT? It sounds a bit like a sandwich to me. Jonathan Brown, Nova FM 5

6 JLT OVERVIEW OUR BUSINESS 6

7 JLT OVERVIEW OUR CLIENTS 7

8 2 RISK AND RISK MANAGEMENT

9 RISK AND RISK MANAGEMENT When I grow up, I want to work in Risk Management said nobody ever! 9

10 RISK Risk = Potential of losing something of value A probability of threat or damage A situation involving exposure to danger The possibility that something unpleasant or unwelcome will happen 10

11 SOURCES OF RISK Natural Events Human Behaviour Legislative Compliance Commercial Relationships Assets & Operations Political Circumstances Technology 11

12 RISK AS OPPORTUNITY

13 WHY MANAGE RISK Risk management is about deciding which risks to take and how to manage their outcomes. There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction. President John F. Kennedy 13

14 RISK MANAGEMENT PROCESS 14

15 RISK MANAGEMENT IS PART OF US ALL You are qualified in risk management if you have ever: o Negotiated a road crossing safely o Ridden a bike or driven a car o Booked a holiday o Raised children* * You should be up here doing the talking 15

16 GOOD RISK MANAGEMENT

17 POOR RISK MANAGEMENT

18 IN A LEAGUE OF THEIR OWN

19 RISK MANAGEMENT EXAMPLE Standard Operating Procedures / Process Map 19

20 KICK YOUR TYRES 20

21 WHEN I KICKED SOME TYRES Fraud Losses Bad debt write-offs $0 $11m 21

22 WHEN I KICKED SOME TYRES Some of the bad-debt in the names of.. Ms Anita Bath Mr Rippen Youoff Mr Hugh Jass Mr R Swyper Mrs R Slicker Lord Van Hugendong 22

23 3 STRATEGIC & OPERATIONAL RISKS

24 TYPES OF RISKS Strategic risks LINK TO EACH OTHER Operational risks Project risks 24

25 RISK AND RISK MANAGEMENT Strategic Risk = Risk that may prevent delivery of strategic objectives Risk arising from a poor strategic business decision Operational/Corporate Risk = Risks arising through provision of services inadequate or failed processes, poorly designed procedures, people (human error), systems and external events. 25

26 ARTICULATING THE RISKS Example We have a lot of problems getting the right people to do the job We train them up and then can t keep them for long What is the risk? Inability to attract and retain staff with high levels of knowledge and expertise Increased costs through churn of staff (recruitment, training, etc.) 26

27 CLASSIFYING THE RISK / RISK APPETITE 27

28 RISK PROFILE. Human Resources Financial Political Information Legal / Technology Governance Inability to attract & retain staff Risk Title Risk Title Risk Title Risk Title Risk Title Risk Title Risk Title Risk Title Risk Title Risk Title Risk Title Risk Title Risk Title Risk Title Legend High Significant Moderate Low High risk: Immediate action required Significant risk: Senior management attention required Medium risk: Management responsibility must be specified Low risk: Manage by routine procedures. 28

29 4 BUSINESS CONTINUITY

30 WHAT IS BUSINESS CONTINUITY? Business Continuity (BC) is defined as the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (source: ISO 22301:2012) BCP = Business Continuity Plan BCM = Business Continuity Management ITDRP Information Technology Disaster Recovery Plan EM Emergency Management BIA Business Impact Analysis SPF Single Point of Failure 30

lives, equipment, assets and infrastructure.

level of service provision to those functions/services deemed critical to the

31 WHAT DOES IT ALL MEAN? Emergency Management Plan (EMP) Focussed on the safeguard and preservation of lives, equipment, assets and infrastructure. Business Continuity Plan (BCP) To maintain or restore at least a minimal level of service provision to those functions/services deemed critical to the continuity of the organisation. The BCP should include prioritisation. IT Disaster Recovery Plan (ITDRP) To restore or maintain technology infrastructure (enabler). 31

32 A GOOD BUSINESS CONTINUITY PLAN WILL Remove/reduce subjectivity around prioritisation of services/ functions, minimising the period of disruption to services/ functions Identify your Single Points of Failure (SPF) Provide those responsible (process owners) with a guide/reminder of what they should consider and what actions are required Provide those picking up the reigns with a fighting chance of knowing what to do and who to speak to Inform other dependencies and priorities (i.e. ITDRP)

A BUSINESS CONTINUITY PLAN WON T Be a manual or replacement guide for good management practice and decision making Be a script for every type of scenario which may occur Add

33 A BUSINESS CONTINUITY PLAN WON T Be a manual or replacement guide for good management practice and decision making Be a script for every type of scenario which may occur Add complexity, overbearing detail and uncertainty to a situation Be something that is regarded as a on the shelf document which is relied upon for all the answers periodically.

34 5 FRAUD AND CYBER

35 FRAUD IN THE NEWS we got you!

36 WHAT ARE THE EXPERTS TELLING US? Extrapolated information recently reported by the Association of Certified Fraud Examiners that organisations lose five per cent of their annual revenue to fraud

37 CURRENT SCAMS Some impersonators are easy to spot.. Others are not!

38 PHISHING

39 RANSOMWARE

40 SKIMMING

41 VALUE OF FRAUD $114 Billion $85 Billion

42 HAVE YOU BEEN HACKED?

43 HAVE YOU BEEN HACKED?

44 SCAM STATISTICS - VICTORIA

45 DO WE QUESTION THINGS

46 DO WE QUESTION THINGS Quantum = Some All = All

47 DO WE QUESTION THINGS Quantum = 8 POWER ACTIONS All = 6 POWER ACTIONS

48 DO WE QUESTION THINGS

49 DO WE QUESTION THINGS

50 WHY DO PEOPLE COMMIT FRAUD?

51 FRAUD PREVENTION FRAMEWORK

52 FRAUD RISK ASSESSMENT

53 FROM LITTLE THINGS BIG THINGS CAN GROW A Manager allowing deviation from standard operating procedures. An employee accepting a gift from a supplier or contractor An employee taking home surplus stock

54 HOW CONTROLS FAIL T R A N S A C T I O N Check 1 Check 2 Check 3

55 IF 99% EFFECTIVE WAS GOOD ENOUGH IN LIFE 12 newborn babies given to the wrong parents each day 20,000 drug prescriptions incorrect per year No electricity worldwide for 14mins per day 930 planes falling out the sky per year Water unsafe to drink for 3 days per year

56 CYBER CRIME

57 WHAT IS YOUR RISK?

58 ASHLEY MADISON Business model of questionable morals/taste Client base of 39 million across 53 countries Gross profit of $115m in 2014 Valued in excess of $1bn 200+ employees 17,000 users per second Money generated through functionality charges and fees (i.e. removal of profile = $19)

59 ASHLEY MADISON Hacked in July 2015 and member details published online including; Names Addresses Credit card information Search history Profile pictures

60 ASHLEY MADISON $576m class action by members and significant regulatory (e.g. breach of privacy) action to follow. Hack has highlighted numerous questionable operationally deceptive procedures. Members subsequently extorted through s requesting $300USD.

61 GOVERNMENT HACKING Dropped USBs and Optical Drives in staff carpark Phishing s & Malware on USB Follow-up through fake IT support calls

62 OUTCOME 60% plugged in USB Drive 90% where branded with an official logo 22% clicked on URL in phishing 40% provided passwords over the phone

63 RECENT FRAUD CASE STUDY Change of Bank Details Scam

64 RECENT FRAUD CASE STUDY Key Facts o o o Scammer may initially contact organisation by phone impersonating known supplier requesting change of bank details. Scammer follows up in writing ( ) and attaching instruction allegedly signed by a signatory. Bank account details amended and subsequent invoices paid to new (fraudulent) details.

65 RECENT FRAUD CASE STUDY It s all in the fine detail Scammer example Gavin.Dyche@jlt.com Genuine example Gavin.Dyche@jlta.com.au Signatory info may be incorrect on closer inspection BSB is not domiciled to HQ

66 IN SUMMARY, FOR CONSIDERATION Business Continuity What are your priorities? Leverage risk management/integrate into ops. Technology What is critical, where is it stored?

67 GOLDEN EGGS KICK THE TYRES PEE N LEARN Effective Risk Management, Business Continuity, Fraud & Cyber prevention is all about foresight. There are no prizes for hindsight..

68 QUESTIONS? Gavin Dyche

A Review of Actual Fraud Cases in 2017 FRAUD REVIEW

A Review of Actual Fraud Cases in 2017 FRAUD REVIEW Contents Introduction 3 Fraud Snapshot 4 Case Studies Credit Card Fraud 5 Business Email Compromise Fraud 6 Payroll Fraud 7 Supplier Fraud 8 Outlook