IT auditing Principles of Risk Management Conducted by

Transcription

1 1 Seminar Information Systems IT auditing Principles of Risk Management Conducted by Prof. dr K.M. van Hee A.W. Kisjes RE RA semester

2 2 What is risk management? Risk management objectives Risk objects Risk Analysis/ Risk Evaluation Development of mitigation plans Not to eliminate risks But, to identify them and minimize their effects through: * improved awareness of their likelihood of occurrence and potential impact and; *development and implementation of appropriate mitigation plans Definition of risk management scope Identification of risks Estimation of their likelihood of occurrence Estimation of their causes and the magnitude of their potential impact Identification of potential causes Development of mitigation plans

3 risk identification risk 3objects qualitative analysis Root cause Evidence quantitative analysis risk register risk mitigation action plans risk monitoring and control

4 4 Source: IRM/Airmic

5 5

6 Risks relate to business artefacts 6 All rights reserved, 2007 Pulinco/Agilos

7 Step A1 Step A2 Sequence A Step A3 St ep 1 St ep 2 Sequence value Fork A S tep C11 S tep C22 Branch C Step C1 The risk eco system 7 questions Instruction Definition Stakeholder map Validation topic Measurement Rule set Risk Business rule (control ) Validation object Validation point Activity Procedure Empowerment Self assessment Integration Checklist Topic / Question Answer Note 3 SECURITY POLICY 3.1 ESTABLISH AN Do you have an information yes Does your information security yes DEVELOP AN Does your information policy yes Does your information policy no REVIEW AND Do you carry out periodic other We've a Assessment Benchmark All rights reserved, 2007 Pulinco/Agilos Questionnaire

8 8 Charateristics of a Risk Template

9 9 Link with Measures/Internal controls (through business rules)

10 10 Risk Action Template

11 11 All rights reserved, 2007 Pulinco/Agilos

12 Risk Management: a cyclic proces with the Big Picture scope Analyzing Monitoring 12 Analyzing Monitoring Continuous improvement Enterprise-, Library model Models, Guidelines guidelines Discovery Facts Numbers & Figures MIS & Cockpit Developing Running Service Application Business Application ERP Business Application CRM Business Process Management Sources Enterprise Content Management Business Process Management Development Workbench Rule Engine Repository Business Intelligence Rule Engine DWH Test Generator Simulation Monitoring Developing All rights reserved, 2007 Pulinco/Agilos Running

13 13 Definitions (1) Decisions to accept exposure or to reduce vulnerabilities by either mitigating the risks or applying cost effective controls. Decisions about whether an assessed risk is sufficiently high to present a public health concern and about the appropriate means for control of a risk judged to be significant. The process of evaluating and selecting alternative regulatory and non-regulatory responses to risk. The selection process necessarily requires the consideration of legal, economic, and behavioral factors. The process of evaluating and selecting alternative regulatory and non-regulatory responses to risk. The selection process necessarily requires the consideration of legal, economic, and behavioral factors. Risk management is the decision-making process involving considerations of political, social, economic and engineering factors with relevant risk assessments relating to a potential hazard so as to develop, analyse and compare regulatory options and to select the optimal regulatory response for safety from that hazard. Essentially risk management is the combination of three steps: risk evaluation; emission and exposure control; risk monitoring. The identification and acceptance or offsetting of the risks threatening the profitability or existence of an organisation. With respect to foreign exchange involves among others consideration of market, sovereign, country, transfer, delivery, credit, and counterparty risk. the employment of financial analysis and trading techniques to reduce and/or control exposure to various types of risk. Clinical and administrative activities undertaken to identify, evaluate, and reduce the risk of injury to patients, staff, and visitors and the risk of loss to the organization itself. The systematic application of management policies, procedures and practices to the tasks of identifying, analysing, evaluating, treating and monitoring risk. The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. To hedge one s risk they will employ financial analysis and trading techniques. A systematic approach used to identify, evaluate, and reduce or eliminate the possibility of an unfavorable deviation from the expected outcome of medical treatment and thus prevent the injury of patients as a result of negligence and the loss of financial assets resulting from such injury. The quantifiable likelihood of loss or less-than-expected returns. Examples: currency risk, inflation risk, principal risk, country risk,economic risk,mortgage risk, liquidity risk, market risk, opportunity risk, income risk, interest rate risk, prepayment risk, credit risk, unsystematic risk, call risk, business risk, counterparty risk, purchasing-power risk, event risk.

14 14 Definitions (2) The use of various management practices to reduce the production and financial risk of the business. Commonly used practices include diversification, purchasing insurance, hedging or forward contracting, maintaining cash reserves and maintaining flexibility in the operation. The process of actively monitoring /controlling exposure to various types of risks while attempting to maximize returns. Typically involves utilizing a variety of trading techniques, models and financial analyses. fxtrade.oanda.com/help/glossary/glossaryl_r.html Having identified the business risks through the Business Continuity Plan, it is essential that a full risk management programme is introduced and maintained at all times. Risk management is a system for decreasing the chance for injury or accidents in a given area, in this case a fraternity or sorority house. These Risk Management policies are to protect our fraternity and sorority members from issues relating to illegal drinking and substance use and abuse, fire code regulations, hazing, legal implications of fraternity and sorority affairs, and social events such as parties and socials. studentaffairs.shu.edu/phikaps/html/recruitment/glossary.html The active identification, evaluations, and management of all the potential hazards and exposures to loss a risk may experience. The handling of those exposures is not limited to insurance options, but includes a variety of methods such as alternative financing, retention, reduction, elimination, transfer, and/or any combination of methods. The process of identifying, assessing, and controlling risks arising from operational factors and making decisions that balance risk cost with mission benefits. The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review. [8] Management tool for the comprehensive identification and assessment of risks based on knowledge and experience in the fields of natural sciences, technology, economics and statistics. Process of identifying, assessing, and reducing the risk to an acceptable level and implementing the right mechanisms to maintain that level of risk. The identification, assessment, allocation, mitigation and monitoring of risks associated with a project. The total process to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce risk and obtain and maintain DAA (Designated Approving Authority) approval.

15 15 UK IRM Institute of Risk Management AIRMIC The Association of Insurance and Risk Managers

16 16 Corporate governance is the set of processes, customs, policies, laws and institutions affecting the way in which a corporation is directed, administered or controlled. Corporate governance also includes the relationships among the many players involved (the stakeholders) the goals for which the corporation is governed. The principal players are the shareholders, management the board of directors. Other stakeholders include employees, suppliers, customers, banks and other lenders, regulators, the environment the community at large. Corporate governance is a multi-faceted subject. An important theme of corporate governance deals with issues of accountability fiduciary duty, essentially advocating the implementation of policies and mechanisms to ensure good behaviour and protect shareholders. Another key focus is the economic efficiency view, through which the corporate governance system should aim to optimize economic results, with a strong emphasis on shareholders welfare.

17 17 Enterprise Risk Management (ERM) -1 refers to the methods and processes used by organizations to manage risks (or seize opportunities) related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress.

18 18 Enterprise Risk Management (ERM) -2 By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of strategic planning, operations management, internal control. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.

19 19 Strategic Operations Reporting Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring Compliance Entity-Level Division Business Unit Subsidiary The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 defines ERM as: "A process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

20 20 The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control-Integrated Framework published in 1992 and amended in 1994 The eight components - additional components highlighted - are: Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring Strategic Operations Reporting Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring Compliance Entity-Level Division Business Unit Subsidiary The four objectives categories additional components highlighted - are: Strategy high-level goals, aligned with and supporting the organization's mission Operations effective and efficient use of resources Financial Reporting reliability of operational and financial reporting Compliance compliance with applicable laws and regulations

21 21 RIMS Risk Maturity Model for Enterprise Risk Management Enterprise Risk Management (ERM) as defined by the Risk and Insurance Management Society (RIMS) is the culture, processes and tools `to identify strategic opportunities and reduce uncertainty. ERM is a comprehensive view of risk from both operational and strategic perspectives a process that supports the reduction of uncertainty and promotes the exploitation of opportunities. According to the RIMS Risk Maturity Model for ERM, the following seven core competencies, or attributes, measure how well enterprise risk management is embraced by management ingrained within the organization. A maturity level is determined for each attribute ERM maturity is determined by the weakest link.

22 22 Primary risk functions in large corporations include: Strategic planning identifies external threats and competitive opportunities, along with strategic initiatives to address them Marketing understands the target customer to ensure product/service alignment with customer requirements Compliance & Ethics monitors compliance with code of conduct and directs fraud investigations Accounting / Financial compliance directs the Sarbanes-Oxley Section 302 and 404 assessment, which identifies financial reporting risks Law Department manages litigation and analyzes emerging legal trends that may impact the organization Insurance ensures the proper insurance coverage for the organization Treasury ensures cash is sufficient to meet business needs, while managing risk related to commodity pricing or foreign exchange Operational Quality Assurance verifies operational output is within tolerances Operations management ensures the business runs day-to-day and that related barriers are surfaced for resolution Credit ensures any credit provided to customers is appropriate to their ability to pay Customer service ensures customer complaints are handled promptly and root causes are reported to operations for resolution Internal audit evaluates the effectiveness of each of the above risk functions and recommends improvements

23 23 Common ERM topics and challenges include Identifying executive sponsors for ERM. Establishing a common risk language or glossary. Identifying and describing the risks in a "risk inventory". Implementing a risk-ranking methodology to prioritize risks within and across functions. Establishing a risk committee and/or Chief Risk Officer (CRO) to coordinate certain activities of the risk functions. Establishing ownership for particular risks and responses. Demonstrating the cost-benefit of the risk management effort. Developing action plans to ensure the risks are appropriately managed. Developing consolidated reporting for various stakeholders. Monitoring the results of actions taken to mitigate risk. Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities.

24 7 Competenties / Attributes in Risk Maturity as defined by RIMS 1. ERM-based approach Degree of executive support for an ERM-based approach within the corporate culture. This goes beyond regulatory compliance across all processes, functions, business lines, roles and geographies. Degree of integration, communication and coordination of internal audit, information technology, compliance, control and risk management. 2. ERM process management Degree of weaving the ERM Process into business processes and using ERM Process steps to identify, assess, evaluate, mitigate and monitor. Degree of incorporating qualitative methods supported by quantitative methods, analysis, tools and models. 3. Risk appetite management Degree of understanding the risk-reward tradeoffs within the business. Accountability within leadership and policy to guide decision-making and attack gaps between perceived and actual risk. Risk appetite defines the boundary of acceptable risk and risk tolerance defines the variation of measuring risk appetite that management deems acceptable. 4. Root cause discipline Degree of discipline applied to measuring a problem s root cause and binding events with their process sources to drive the reduction of uncertainty, collection of information and measurement of the controls effectiveness. The degree of risk from people, external environment, systems, processes and relationships is explored. 5. Uncovering risks Degree of quality and penetration coverage of risk assessment activities in documenting risks and opportunities. Degree of collecting knowledge from employee expertise, databases and other electronic files (such as Microsoft Word, Excel, etc) to uncover dependencies and correlation across the enterprise. 6. Performance management Degree of executing vision and strategy, working from financial, customer, business process and learning and growth perspectives, such as Kaplan s balanced scorecard, or similar approach. Degree of exposure to uncertainty, or potential deviations from plans or expectations. 7. Business resiliency and sustainability Extent to which the ERM Process s sustainability aspects are integrated into operational planning. This includes evaluating how planning supports resiliency and value. The degree of ownership and planning beyond recovering technology platforms. Examples include vendor and distribution dependencies, supply chain disruptions, dramatic market pricing changes, cash flow volatility, business liquidity, etc 24

25 25 Business Continuity Planning (BCP) and Business Continuity management (BCM) is an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) `within a predetermined time after a disaster or extended disruption. The logistical plan is called a Business Continuity Plan. In plain language, BCP is how an organization prepares for future incidents that could jeopardize the organization's core mission its longterm health. Incidents include local incidents like building fires, regional incidents like earthquakes, national incidents like pandemic illnesses.

26 26 British Standard BCP may be a part of an organizational learning effort that helps reduce operational risk associated with lax information management controls. This process may be integrated with improving information security corporate reputation risk management practices. In December 2006, the British Standards Institute released a new independent standard for BCP BS Prior to the introduction of BS25999, BCP professionals relied on BSI information security standard BS7799, which only peripherally addressed BCP to improve an organization's information security compliance. BS25999's applicability extends to organizations of all types, sizes, and missions whether governmental or private, profit or non-profit, large or small, or industry sector.

27 27 Operational Risk Management (ORM) is the oversight of many forms of day-to-day operational risk including the risk of loss resulting from inadequate or failed internal processes, people systems, from external events. Operational risk does not include market risk or credit risk Specifc in use in financial services industry

28 28 Benefits of ORM Reduction of operational loss. Lower compliance/auditing costs. Early detection of unlawful activities. Reduced exposure to future risks.

29 29 The Basel Committee on Banking Supervision breaks down loss events into seven general categories Internal Fraud Loss due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity, discrimination events, which involves at least one internal party. External Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party. These activities include theft, robbery, hacking or phishing attacks. Employment Practices and Workplace Safety Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination. Clients, Products & Business Practice Losses arising from unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature of design of a product. Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster or other events. See disaster recovery or business continuity planning Business Disruption & Systems Failures Losses arising from disruption of business or system failures. This includes loss of due to failure of computer hardware, computer software, telecommunications failure or utility outage and disruptions. Execution, Delivery & Process Management Losses from failed transaction processing or process management, from relations with trade suppliers and vendors.

30 30 Execution, Delivery & Process Management Losses from failed transaction processing or process management, from relations with trade suppliers and vendors. This includes Transaction Capture, Execution & Maintenance Miscommunication, Data entry, maintenance or loading error Missed deadline or responsibility, Model / system misoperation Accounting error, entity attribution error, Delivery failure, Collateral management failure Reference data maintenance, Monitoring & Reporting Failed mandatory reporting obligation Inaccurate external report (loss incurred), Customer Intake & Documentation Client permissions / disclaimers missed Legal documents missing / incomplete, Customer / Client Account Management Unapproved access given to accounts, Incorrect client records (loss incurred), Negligent loss or damage of client assets, Trade partners, non-client vendor misperformance vendor disputes.

31 31 Value at risk (VaR) in economics and finance a measure of how the market value of of an asset or of a portfolio of assets is likely to decrease over a certain time period (usually over 1 day or 10 days) under usual conditions. VaR: is typically used by security houses or investment banks to measure the market risk of their asset portfolios (market value at risk), but is actually a very general concept that has broad application. Other measures of risk include volatility/standard deviation, semi variance (or downside risk) expected shortfall.

32 32 Value at Risk

33 33 VaR : Three parameters and Three common calculation models Three parameters : The time horizon (period) to be analyzed (i.e., the length of time over which one plans to hold the assets in the portfolio - the "holding period"). The confidence level at which the estimate is made. Popular confidence levels usually are 99% and 95%. The unit of the currency which will be used to denominate the value at risk(var). Three common calculation models (a) variance-covariance (VCV), assuming that risk factor returns are always (jointly) normally distributed and that the change in portfolio value is linearly dependent on all risk factor returns, (b) the historical simulation, assuming that asset returns in the future will have the same distribution as they had in the past (historical market data), (c) Monte Carlo simulation, where future asset returns are more or less randomly simulated variance-covariance (VCV),

34 34 Homeland Security (1) Homeland security is officially defined by the National Strategy for Homeland Security as a concerted national effort to prevent terrorist attacks within the United States, reduce America's vulnerability to terrorism, and minimize the damage and recover from attacks that do occur, Because the US Department of Homeland Security (DHS) includes the Federal Emergency Management Agency (FEMA) it has responsibility for preparedness, response and recovery to natural disasters as well.

35 35 Homeland Security (2) The scope of homeland security includes: Emergency preparedness and response (for both terrorism and natural disasters), including volunteer medical, police, Emergency Management and fire personnel; Domestic intelligence activities, largely today within the FBI; Critical infrastructure protection; Border security, including both land and maritime borders; Transportation security, including aviation and maritime transportation; Biodefense; Detection of nuclear and radiological materials; Research on next-generation security technologies

36 36 Social risk management (SRM) new conceptual framework assigned and designed by the World Bank The objective of SRM is to extend the traditional framework of social policy to the non-market based social protection of which its three primary strategies include prevention, mitigation, and coping. It is now well understood that social unrest is positively parallel to the poverty. Assisting individuals, households and communities to elevate living standard above the poverty level will harmonize global economy and strengthen the social security.

37 Main Sources of Social Risks (adapted from Holzmann and Jorgensen, 2000 by wikipedia) 37