Break the Risk Paradigms - Overhauling Your Risk Program
|
|
- Shavonne Floyd
- 6 years ago
- Views:
Transcription
1 SESSION ID: GRC-T11 Break the Risk Paradigms - Overhauling Your Risk Program Evan Wheeler MUFG Union Bank Director, Information Risk Management
2 Your boss asks you to identify the top risks for your organization where do you start? 2
3 Goals of Risk Management Minimizing uncertainties for the business Aligning and controlling organizational components to produce the maximum output Providing governance and oversight Cost effective 3
4 Status Quo + = 4
5 Challenges with Current Approaches 1. Analysis - Confusion No single definition for terms Unclear scoping Undocumented assumptions 2. Measurement - Inconsistent model Vaguely defined rating scales Focus on possibility vs. probability No adjustments for bias or confidence Rarely data driven 3. Different mental risk models 5
6 Breaking the Mold Implementing FAIR 6
7 What is FAIR? A risk methodology should at least include: Single definition of risk Risk factors or ontology Methodology to measure risk Alignment with control maturity and threat intelligence standards Integration into Enterprise Risk Frameworks ISO COSO ERM Control Checklist Analytic Measurement Framework FAIR? OCTAVE NIST RMF ISACA Risk IT COBIT 7
8 Benefits of Using FAIR Ontology and method for understanding, analyzing and measuring information risk Logical and rational risk analysis framework Expresses risk in the context of a loss scenario Improves ability to defend conclusions and recommendations Additional standards have been built on it, such as a Controls Ontology The Open Group is a global consortium that enables the achievement of business objectives through IT standards Open industry standard Mappings to ISO, NIST, STIX, etc. Standard Evolved from a global insurance firm Used top companies across sectors Relevant Designed for operational risk Risk factors for data, technology, and cyber scenarios Tailored Critical thinking framework Layers of abstraction Qualitative or quantitative Extensible
9 Alignment with NIST CSF NIST evaluates the control environment using a relative maturity rating FAIR measures risk exposure based on how often loss is likely to occur and how bad it s likely to be FAIR is the future of information security, as that s how we will bridge the gap and talk about risk in a common language. CISO, Federal Reserve Bank of NY 9
10 Where do you start assessing? Incidents 1 Asset Profiling 2 Threat Modeling 3 Incident / Vulnerability Analysis 4 Controls Self Assessment Controls 10
11 Iterative Adoption Approach Typical Qualitative => Simple Estimation => Advanced Estimation Inherent Risk Control Environment Residual Risk (ordinal scale) 5 Categories of Primary Loss Primary Loss Event Frequency Predefined Ranges (min, max) Annualized Timeframe Best, Most Likely or Worst Case Confidence (qualitative) Residual Risk (ordinal scale) 11 Threat Event Frequency Susceptibility 5 Categories of Secondary Loss Secondary Loss Event Frequency Flexible Ranges (min, m/l, max) Simulations Confidence (interval) Residual Risk (distribution) 5 Categories of Primary Loss Annualized Timeframe
12 Prep & Scoping Simple Estimation 12
13 FAIR Ontology Risk Loss Frequency Loss Magnitude Threat Event Frequency Susceptibility Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude 13
14 Risk Model Basic Factor Analysis Def: the probable frequency, within a given timeframe, that threat agent will inflict harm upon an asset How much risk is associated with? Risk Def: the probable frequency and magnitude of future loss Def: the probable magnitude of loss resulting from a loss event Probable Loss Event Frequency (#) Probable Loss Magnitude ($) 14
15 Scenario Scoping What is the risk of data loss? How much risk is associated with an employee intentionally deleting client health data from the production systems if the backups are unreliable, worst case over the next year? Focus on outcomes, not control weaknesses Break the problem down into smaller measurable questions 15
16 How much risk is associated with a failed backup when data needs to be restored due to insider maliciously deleting production data? Asset at Risk Threat Community Motivation Loss Area Business Line X, Application Y Client Health Records Amateur Hacker Cyber Criminal Nation State Privileged Insider Accidental Malicious Confidentiality Integrity Availability Assumptions Approximately 1,000 client records in application Employee data isn t impacted Health records fall under HIPAA regulations Susceptibility to privileged insider abuse is ~ 100% Not all impacted clients will notice an impact directly Client turnover (loss of future business) would be minimal Insurance will cover some response costs Records could be recreated from paper and manually re-entered
17 Measurement & Analysis Simple Estimation
18 Qualitative Drawbacks How much risk reduction is enough? X = high risk Where are the opportunities to reduce our exposure? Frequency isn t used explicitly What is the time horizon for our outlook and estimates? Next 3 months, next 10 years? How many Lows equals a High rating? 18
19 Quantitative Assumptions Won t our SMEs just be guessing? We don t have enough data How can we estimate when it has never happened before? Objections to quantitative measurement models But we are a unique snowflake! 1. Your problem is not as unique as you think. 2. You have more data than you think. 3. You need less data than you think. 4. There is a useful measurement that is much simpler than you think. 19
20 Measuring Risk How often loss is likely to occur and how bad it s likely to be. When you evaluate a risk, you are estimating the future potential for some event(s). It will have ranges of probable impact and likelihood of occurrence (or frequency of re-occurrence). 20
21 Simple FAIR Estimation Elements Predefined Ranges (min, max) Annualized Timeframe Best, Most Likely or Worst Case 5 Categories of Primary Loss Primary Loss Event Frequency Confidence (qualitative) Residual Risk (ordinal scale)
22 Key Concepts Accuracy vs. Precision Time Horizon Minimum: X - Maximum: Y Annualized Loss Expectancy
23 Order Matters Always estimate impact first Worst-case? Most common outcome? Rate likelihood second Best Case Most Likely Worst Case Forces you to clarify the event you re evaluating, which helps to avoid misalignment EXCEEDING TOLERANCE Most likely annualized risk M Dec 2015 One-time maximum loss H 23
24 1 Probable Loss Magnitude 2 Loss Event Frequency 3 Residual Risk Exposure
25 Forms of Loss 1 Probable Loss Magnitude Productivity Response Replacement Fines & Judgments Reputation / Competitive Adv. Operational inability to deliver products or services resulting in unrealized revenue (i.e. $ / time) Costs of managing an event (i.e. communication, regulatory demands, etc.) Replacement of capital assets (i.e. applications, personnel, etc.) Fines or judgments levied against the organization through civil, criminal or contractual actions External stakeholder perspective on organization s value decreased or liability increased, or intellectual property or key competitive differentiators damaged 25
26 Sample Pre-Defined Impact Tables Magnitude Min Max Productivity 1 Response 2 Replacement Severe $25m Above High $1m <$25m Moderate $500 k <$1m Full service exceeds 1 business day, or degradation exceeds 1 week Full service exceeds RTO, or partial exceeds RTOx2 Partial service up to RTOx2, or full service up to RTO 1,000 hours or more 500 up to 1,000 hours 100 up to 500 hours Low $5k <$500k Partial service up to RTO 5 up to 100 hours Immaterial $0 <$5k No SLA breach up to 5 hours 1. Assumes revenue isn t collected during downtime and won t be recuperated afterwards 2. Avg. loaded person hourly $75 - $ Funding approval from Board required Requires out of budget funding In function s budget but postpones planned investment Replacement cost in function s discretionary budget No cost or covered by insurance
27 Probability & Frequency 2 Loss Event Frequency Probability - how likely something bad is to happen Frequency - how many times something bad is likely to happen Past performance is not always an indicator of the future variables change! Threat characteristics example: The frequency with which threat agents come into contact with our organizations or assets The probability that threat agents will act against our organizations or assets The probability of threat agent actions being successful in overcoming protective controls The probable nature (type and severity) of impact to our assets FREQUENCY SCALE < 0.1 times per year (less than once every 10 years) between 0.1 and 1 times per year between 1 and 5 times per year between 5 and 50 times per year > 50 times per year 27
28 Evaluating Adversarial Threats Sophistication of skills required Availability of exploit tools Size of user community (threat universe) Motivation of attacker Opportunity 28
29 Confidence Initial / Intuitive - Immature or developing assessment approach exists, a formal assessment model may not be established or is in early stages. Predictions are largely based on the experience of the assessors. Repeatable - An assessment model is established and is producing consistent assessments using a standard criteria. Risks are being regularly assessed. Assessment may be based on consensus opinion, or assessors are at least engaging risk-practiced SME's, reviewing incident statistics, or referencing trend data to inform assessments. Measurable - Assessment model is well defined and has been refined/calibrated over time, and trend data and incident statistics have been analyzed to model future predictions. Assessors are trained, practiced, and experienced analyzing risks in this area. The assessments themselves may have been revised and updated over time. 29
30 1 Probable Loss Magnitude 2 Loss Event Frequency 3 Residual Risk Exposure
31 Program Development 31
32 Two Approaches Ground Up Choose a standard set Housekeeping and clean up Engage line managers Establish risk mitigation expectations Review existing assessment data Prioritize & execute action plans Gather activity based metrics Demonstrate value to process owners Top Down Implement a risk mgt. policy & model Identify inherent risk Establish governance & assign roles Prioritize areas for assessment Solicit risk information from business Prioritize & execute initiatives Gather performance based metrics Demonstrate value to risk committee 32
33 Program Maturity Optimized structured, organization wide program is enforced and well managed. Consistent across the organization, ground up and top down, integrated into all the business processes. Continual reassessment of risks and inefficiencies in the program. Managed & Measurable standard part of procedures, regular reporting of risks and performance metrics to management, informed decision making based on risk assessments, risks regularly reassessed, some automation in place Essentials Implemented process defined with significant adoption across the organization, regular reporting of highest risks to management, risk reassessed, formalized tracking in place Defined Process process defined but not widely adopted, awareness/training made available, based on a standard methodology 3 Repeatable but Intuitive 1 Non-existent 4 Defined Process 5 Essentials Implemented Repeatable but Intuitive Initial / Ad Hoc 2 Initial / Ad Hoc reactive and rarely has any accountability, tactical level only, never gets management visibility Non-existent this does not occur 33 6 Managed & Measurable 7 Optimized Where are you on this maturity scale? immature and developing approach exists and is implemented for major initiatives or risks
34 Mature Program Elements Formal risk responsibilities and escalation process documented Embedded in key processes throughout organization Performance indicators for the risk program itself Ensure that the scope and focus of the program is reviewed regularly Risk training program and outreach Recognize employees for identifying risks 34
35 Apply Implementing a Better Model Formalize terminology Create scoping and analysis templates Determine initial impact ranges Train analysts Analyze scenarios in parallel with existing model Evangelize benefits of new methodology Recalibrate and refine impact ranges 35
36 Recommended Reading Security Risk Management: Building an Information Security Risk Management Program from the Ground Up ISBN: Amazon Link: Measuring and Managing Information Risk: A FAIR Approach ISBN: Amazon Link: The content of this presentation does not reflect the views or opinions of MUFG Union Bank. 36
37 Appendix - Example Analysis Using FAIR Hurricane Call Center 37
38 Hurricane Scenario 38
39 Define the Scenario Issue Statement: Scope: The company s only two call centers aren t regionally dispersed. How much risk is associated with a storm impacting both of the company s call centers at the same time, making them inaccessible to employees? 39
40 Seeking Risk Acceptance Why? Mitigation is cost prohibitive? Mitigation strategy has long duration or is unknown? Likelihood of occurrence is insignificant? Risk exposure is temporary?? 30% 40
41 Analysis Steps 0. Prerequisite 1. Identify scenario scope Conduct calibration exercise to ensure your stakeholders are comfortable with estimates Identify the asset at risk Identify the threat community under consideration Prep Meeting Sections 2. Evaluate Loss Magnitude 3. Evaluate Loss Event Frequency Estimate the Forms of Loss impact Results will drive Detective and Response Controls Estimate the Probable Frequency Results will drive Preventative Controls Workshop Sections 4. Derive & articulate Risk Determine the risk and capture results in standard format Post-Scenario Steps Post Workshop Section 41
42 Scenario Scope Asset at Risk Call Center Outsourcing Service Call Center Facilities Threat Community Privileged Insider Amateur Hacker Cyber Criminal Nation State Act of Nature Motivation Malicious Accidental Impact Area Availability Confidentiality Integrity Probable Loss Magnitude Best Case Most Likely Case Worst Case Forms of Loss Productivity / Loss or Disruption of Services Response Replacement Legal and Regulatory Competitive Advantage / Reputation Loss Event Frequency Top Risk Alignment To be determined during scenario exercise Major operations disruption will prevent company from meeting client SLAs. Assumptions Company provides call center outsourcing as a service provider to other corporations Both call center sites are located on different coasts of Florida (i.e. Tampa and Jacksonville) If both call centers are unavailable, the support function cannot shift to another location, however, employees can work from home if the call center still has power Employees are not able to perform their duties remotely for some subset of clients who have strict rules requiring staff to be at the physical location to access their client information Contracts with premier clients require 99.98% service availability, and a recovery time objective of 2 hours All client contracts stipulate unlimited liability for disruptions that are caused by gross negligence Our company is not directly regulated, however, several financial services and healthcare clients are, so those requirements are indirectly inherited Revenue is only lost when both call centers are unavailable Call centers of backup power generators Company owns the call center buildings Insurance policy deductible is $100k, and policy doesn t cover flood damage 42
43 Impact Assuming worst case major hurricane (Cat 3 or above) and path hits both coasts of Florida Electricity and water may be unavailable to residents for several days to weeks after the storm passes When a major hurricane hits, the transportation and power infrastructure can be unavailable to commercial areas for 1 day to 5 days on average Major hurricane may result in loss of power to the call center and staff denial of access Employee homes and call centers will be unavailable simultaneously for at least one day 43
44 Forms of Loss Loss Type Productivity / Loss or Disruption of Services Inability to deliver products or services Impact Description Call centers are unavailable from 1 day to 5 days Revenue per day is $50k 30% of client revenue cannot be supported using work from home capabilities Expected loss of $50k - $250k Response Costs of managing an event (i.e. client communication, regulatory, etc.) Replacement Replace capital assets (i.e. database app) Legal and Regulatory Fines or judgments levied against organization through civil, criminal or contractual actions Competitive Advantage / Reputation External stakeholder perspective on organization s value decreased or liability increased, or intellectual property or key competitive differentiators damaged 44 Staff time of IT staff to restore systems from power outage Min: 2 staff x 4 hrs x $75 rate = $600 M/L: 4 staff x 6 hrs x $75 rate = $1,800 Max: 6 staff x 22 hrs x $75 rate = $9,900 Staff time of Facilities staff to restore working conditions from weather damage Min: 4 staff x 8 hrs x $20 rate = $640 M/L: 4 staff x 24 hrs x $20 rate = $1,920 Max: 4 staff x 60 hrs x $20 rate = $4,800 Repairs to the building due to debris or flood $1k - $10k - $100k None Based on scenario assumptions, reputational impact will be significant with threat of losing premier clients to competitors Morale and retention issues if employees are forced to work rather than looking after their own homes and families
45 Frequency Data 1 major hurricane hits Florida every other year on average No more than 4 hit in any one year 1 in 5 hurricanes that impact Florida will affect both sides of the state Min: 0, Most Likely: 0.1, Max: 1 45
46 Simple FAIR Analysis 1 Probable Loss Magnitude 1 in 7 hurricanes that impact Florida will affect both sides of the state 2 Loss Event Frequency 3 Residual Risk Exposure 46
47 Risk Treatment Would additional work from home capabilities help? Move a call center? Establish remote staff in another state? Lower insurance deductible? Accept as is? The content of this presentation does not reflect the views or opinions of MUFG Union Bank. 47
THERE S NO SUCH THING AS A CYBER- RISK
SESSION ID: GR-W02 THERE S NO SUH THING AS A YBER- RISK Evan Wheeler ISO, VP Risk Management Financial Engines Your boss asks you to identify the top information risks for your organization where do you
More informationENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework
ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework ENTERPRISE RISK MANAGEMENT (ERM) ERM Definition The Conceptual Frameworks: CAS and COSO Risk Categories Implementing ERM Why ERM? ERM Maturity
More information4.1 Risk Assessment and Treatment Assessing Security Risks
Information Security Standard 4.1 Risk Assessment and Treatment Assessing Security Risks Version: 1.0 Status Revised: 03/01/2013 Contact: Chief Information Security Officer PURPOSE To identify, quantify,
More informationBusiness Continuity Management and ERM
Business Continuity Management and ERM Partnership for Emergency Planning Kansas City Marshall Toburen GRC Strategist ERM, ORM, 3PM RSA A division of EMC 2 June 18, 2014 1 Agenda Intro State of ERM Today
More informationก ก Tools and Techniques for Enterprise Risk Management (ERM)
ก ก Tools and Techniques for Enterprise Risk Management (ERM) COSO ERM ISO ERM 31 2554 10:45 12:15.. 301, 302, 307 ก ก COSO Internal Control ERM Integrated Framework Application Technique ISO 31000 Guide
More informationSecurity Risk Management
Security Risk Management Related Chapters Chapter 53: Risk Management Also Chapter 32 Security Metrics: An Introduction and Literature Review Chapter 62 Assessments and Audits 2 Definition of Risk According
More informationEnterprise Risk Management Focusing on the Right Risks
2014 CliftonLarsonAllen LLP Enterprise Risk Management Focusing on the Right Risks VGFOA 2015 Fall Conference October 22, 2015 CLAconnect.com Session Objectives 1.Identify factors driving the need for
More informationEnhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking
Draft 11/29/16 Enhanced Cyber Risk Management Standards Advance Notice of Proposed Rulemaking The left column in the table below sets forth the general concepts that the federal banking agencies are considering
More informationKidsafe NSW Risk Management Plan. August 2014
Kidsafe NSW Risk Management Plan August 2014 Document Control Document Approval Name & Position Signature Date Document Version Control Version Status Date Prepared By Comments Document Reviewers Name
More informationRISK MANAGEMENT FRAMEWORK
Risk Management Framework RISK MANAGEMENT FRAMEWORK Purpose This Risk Management Framework introduces St. Michael s College s approach to risk management. It includes a definition of risk, a summary of
More informationThe Guide to Budgeting for Insider Threat Management
The Guide to Budgeting for Insider Threat Management The Guide to Budgeting for Insider Threat Management This guide is intended to help show you how to approach including Insider Threat Management within
More informationTONGA NATIONAL QUALIFICATIONS AND ACCREDITATION BOARD
TONGA NATIONAL QUALIFICATIONS AND ACCREDITATION BOARD RISK MANAGEMENT FRAMEWORK 2017 Overview Tonga National Qualifications and Accreditation Board (TNQAB) was established in 2004, after the Tonga National
More informationRisk Management: Assessing and Controlling Risk
Risk Management: Assessing and Controlling Risk Introduction Competitive Disadvantage To keep up with the competition, organizations must design and create a safe environment in which business processes
More informationTaking the R in GRC Seriously
Taking the R in GRC Seriously Jack Jones Chairman, The FAIR Institute Why should we care about the R in GRC? Current reality Complex Dynamic Limited Resources 3 Organizations must effectively prioritize
More information13.1 Quantitative vs. Qualitative Analysis
436 The Security Risk Assessment Handbook risk assessment approach taken. For example, the document review methodology, physical security walk-throughs, or specific checklists are not typically described
More informationEFFECTIVE TECHNIQUES IN RISK MANAGEMENT. Joseph W. Mayo, PMP, RMP, CRISC September 27, 2011
EFFECTIVE TECHNIQUES IN RISK MANAGEMENT Joseph W. Mayo, PMP, RMP, CRISC September 27, 2011 Effective Techniques in Risk Management Risk Management Overview Exercise #1 Break Risk IT Exercise #2 Break Risk
More informationBest Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]
Best Practices in ENTERPRISE RISK MANAGEMENT [ Managing Risks Holistically ] INTRODUCTIONS MODERATOR: Bob Lipps, JD, CPA PANELISTS: Ron Wilcox Abel Pomar Karen Gordon, Esq. THE EVOLUTION OF RISK Traditional
More informationBusiness Auditing - Enterprise Risk Management. October, 2018
Business Auditing - Enterprise Risk Management October, 2018 Contents The present document is aimed to: 1 Give an overview of the Risk Management framework 2 Illustrate an ERM model Page 2 What is a risk?
More informationFundamentals of Project Risk Management
Fundamentals of Project Risk Management Introduction Change is a reality of projects and their environment. Uncertainty and Risk are two elements of the changing environment and due to their impact on
More informationInformation security management systems
BRITISH STANDARD Information security management systems Part 3: Guidelines for information security risk management ICS 35.020; 35.040 NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT
More informationApplying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004
Applying COSO s Enterprise Risk Management Integrated Framework September 29, 2004 Today s organizations are concerned about: Risk Management Governance Control Assurance (and Consulting) ERM Defined:
More informationCyber Risk Quantification: Translating technical risks into business terms
Cyber Risk Quantification: Translating technical risks into business terms Jesper Sachmann RSA Denmark 13-06-2018 1 CYBER RISK QUANTIFICATION: TRANSLATING TECHNICAL RISKS INTO BUSINESS TERMS Jesper Sachmann
More informationHITRUST Third Party Assurance (TPA) Risk Triage Methodology
HITRUST Third Party Assurance (TPA) Risk Triage Methodology A streamlined approach to assessing the inherent risk posed by a third party and selecting an appropriate assurance mechanism leveraging the
More informationFraud Risk Management
Fraud Risk Management Fraud Risk Assessment Part 2 2017 Association of Certified Fraud Examiners, Inc. Fraud Risk Assessment Frameworks Frameworks are helpful for performing, evaluating, and reporting
More informationUSF System Compliance & Ethics Program. Risk Assessment Process. Enterprise-Wide Risk Assessment
USF System Compliance & Ethics Program Risk Assessment Process Enterprise-Wide Risk Assessment Risk Assessment Process Risk Assessment: A disciplined, documented, and ongoing process of identifying and
More informationENTERPRISE RISK MANAGEMENT IN HEALTH CARE. April 27, 2017
ENTERPRISE RISK MANAGEMENT IN HEALTH CARE April 27, 2017 Presenters Adam Marshall Director, Risk Advisory Services Jessika Garis Manager, Risk Advisory Services RSM US LLP Adam.Marshall@rsmus.com +1 410
More informationApplying COSO s Enterprise Risk Management Integrated Framework
Applying COSO s Enterprise Risk Management Integrated Framework COSO COSO stands for the Committee Of Sponsoring Organizations of the Treadway Commission. The sponsoring organizations are: Institute of
More informationCyber Risk Enlightenment through information risk management
Cyber Risk Enlightenment through information risk management www.pwc.com.au Cyber Risk Enlightenment through information risk management Managing cyber risk in a way that makes sense to everyone in the
More informationENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.
1. Purpose: 1.1. Pedernales Electric Cooperative ( PEC ) is committed to delivering low-cost, reliable and safe energy solutions for the benefit of our members. In order to improve the likelihood of achieving
More informationThe Risk Assessment Executives Are Begging For. Presentation Overview. Terminology
The Risk Assessment Executives Are Begging For Brian Zawada Rob Giffin Avalution Consulting LLC Presentation Overview Level-setting Regarding Terminology Likelihood Versus Severity Common Approaches to
More informationPost-Class Quiz: Information Security and Risk Management Domain
1. Which choice below is the role of an Information System Security Officer (ISSO)? A. The ISSO establishes the overall goals of the organization s computer security program. B. The ISSO is responsible
More informationRisk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small
Risk Management Seminar June 2017 Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small Defining Risk Risk reflects the chance that the actual event may be different than the planned / expected
More informationUsing Meaningful KRI s for Basel II Operational Risk Management
Using Meaningful KRI s for Basel II Operational Risk Management Presentation to: The Association of International Bank Auditors November 4, 2008 The Association of the Bar of New York City 3 What do these
More informationSCCE 2012 COMPLIANCE & ETHICS INSTITUTE. Workshop Agenda
SCCE 2012 COMPLIANCE & ETHICS INSTITUTE October 14, 2012 l Las Vegas, NV Ethics & Compliance Risk Management 101: Program Essentials and Effective Practice Key Steps to Implementing and Championing an
More informationBCMS APPROACH. Implementing Business Continuity for Organization
BCMS APPROACH Implementing Business Continuity for Organization BC INSTANCES Flight EK521 arriving from Trivandrum, India crash-lands in Dubai 282 passengers and 18 crew on board including 24 Britons One
More informationNorthwest Regional Data Center
Northwest Regional Data Center Located in Tallahassee, Florida, NWRDC was founded in 1972 as one of four regional data centers serving State University System of Florida. We have been providing services
More informationINFORMATION AND CYBER SECURITY POLICY V1.1
Future Generali 1 INFORMATION AND CYBER SECURITY V1.1 Future Generali 2 Revision History Revision / Version No. 1.0 1.1 Rollout Date Location of change 14-07- 2017 Mumbai 25.04.20 18 Thane Changed by Original
More informationProject Risk Management
Project Risk Management Introduction Unit 1 Unit 2 Unit 3 PMP Exam Preparation Project Integration Management Project Scope Management Project Time Management Unit 4 Unit 5 Unit 6 Unit 7 Project Cost Management
More informationDelivering Clarity to Credit Unions Through Expertise and Experience
Jeff Owen, The Rochdale Group September 2012 Delivering Clarity to Credit Unions Through Expertise and Experience Enterprise Risk Management Lending Execution and Risk Management Merger Strategy and Realization
More informationEnterprise Risk Management Integrated Framework
ISACA S IT Audit, Information Security & Risk Insights Africa 2014, Alisa Hotel Enterprise Risk Management Integrated Framework Tony Bediako May 20, 2014 Today s organizations are concerned about: Risk
More informationMEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework
MEMORANDUM To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 Re: ERM Policy and Framework Executive Summary Attached are the draft Enterprise Risk Management
More informationRisk Management. Webinar - July 2017
Risk Management Webinar - July 2017 Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small Adapted and Facilitated by: Professor Enslin J. van Rooyen Risk Management - June 2017 2 Defining Risk
More informationCybersecurity Insurance: The Catalyst We've Been Waiting For
SESSION ID: CRWD-W16 Cybersecurity Insurance: The Catalyst We've Been Waiting For Mark Weatherford Chief Cybersecurity Strategist varmour @marktw Agenda Insurance challenges in the market today 10 reasons
More informationJFSC Risk Overview: Our approach to risk-based supervision
JFSC Risk Overview: Our approach to risk-based supervision Contents An Overview of our approach to riskbased supervision An Overview of our approach to risk-based supervision Risks to what? Why publish
More informationPractical aspects of determining and applying a risk appetite for SMEs
Practical aspects of determining and applying a risk appetite for SMEs By Tim Timchur acis, Director, ActivePro Consulting Pty Ltd Important to determine appetite for risk before determining what risk
More informationProcedures for Management of Risk
Procedures for Management of Policy Sponsor: Name of Parent Policy: Policy Contact: Procedure Contact: Vice President Finance and Administration Enterprise Management Policy Vice President Finance and
More informationGOV : Enterprise Risk Management Policy
Name: Responsibility: Complements: Enterprise Risk Management Framework Coordinator, Enterprise Risk Management GOV-080-005: Enterprise Risk Management Policy Draft Date: November 2006; January 2012 Revised
More informationFor the PMP Exam using PMBOK Guide 5 th Edition. PMI, PMP, PMBOK Guide are registered trade marks of Project Management Institute, Inc.
For the PMP Exam using PMBOK Guide 5 th Edition PMI, PMP, PMBOK Guide are registered trade marks of Project Management Institute, Inc. 1 Contacts Name: Khaled El-Nakib, MSc, PMP, PMI-RMP URL: http://www.khaledelnakib.com
More informationBERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework
BERGRIVIER MUNICIPALITY Risk Management Risk Appetite Framework APRIL 2018 1 Document review and approval Revision history Version Author Date reviewed 1 2 3 4 5 This document has been reviewed by Version
More informationRISK MANAGEMENT. Budgeting, d) Timing, e) Risk Categories,(RBS) f) 4. EEF. Definitions of risk probability and impact, g) 5. OPA
RISK MANAGEMENT 11.1 Plan Risk Management: The process of DEFINING HOW to conduct risk management activities for a project. In Plan Risk Management, the remaining FIVE risk management processes are PLANNED
More informationComparison of Risk Analysis Methods: Mehari, Magerit, NIST and Microsoft s Security Management Guide
Comparison of Risk Analysis Methods: Mehari, Magerit, NIST800-30 and Microsoft s Security Management Guide Amril Syalim Graduate School of Information Science and Electrical Engineering Kyushu University,
More informationHomeowners Ratemaking Revisited
Why Modeling? For lines of business with catastrophe potential, we don t know how much past insurance experience is needed to represent possible future outcomes and how much weight should be assigned to
More informationApplying the risk process in the real world using COBIT
Applying the risk process in the real world using COBIT Christian Dinesen NNIT A/S CiD@nnit.com #Who Am I Last 4 years @ NNIT 2 years as Security Auditor 2 years as Security Advisor/Architect Hacker since
More informationRisk Management: Principles, Methodologies and Techniques. Peter Getugi Internal Audit Manager ILRI
Risk Management: Principles, Methodologies and Techniques Peter Getugi Internal Audit Manager ILRI NAIROBI 22 JUNE, 2010 Session Objectives What is Risk Management? Why is Risk Management importance rising?
More informationWhat does the WEF Global Risks Report have to do with my Risk Management program? GRM016 Speakers:
What does the WEF Global Risks Report have to do with my Risk Management program? GRM016 Speakers: Linda Conrad, Head of Strategic Business Risk, Zurich Insurance Tim Bunt, Chief Risk Officer, CBRE Stefanie
More informationRISK AND OPPORTUNITY ASSESSMENT GUIDE RISK CRITERIA
RISK AND OPPORTUNITY ASSESSMENT GUIDE RISK ASSESSMENT GUIDE TABLE OF CONTENTS 1. PURPOSE... 3 2. SCOPE... 3 3. RELATED DOCUMENTS... 3 4. PROCEDURE... 3 5. RISK MANAGEMENT PROCESS... 3 6. STEP 1 RISK ANALYSIS...
More informationRisk Management Policy and Framework
Risk Management Policy and Framework Risk Management Policy Statement ALS recognises that the effective management of risks is a fundamental component of good corporate governance and is vital for the
More informationVersion: th November 2010 RISK MANAGEMENT POLICY
Version: 1.2-25th November 2010 RISK MANAGEMENT POLICY Document History Document Location To be completed. Revision History Date of this revision: 17/09/2010 Date of next revision: N/A Revision Number
More informationProject Management Certificate Program
Project Management Certificate Program Risk Management Terry Skaggs ( Denver class) skaggst@centurytel.net 719-783-0880 Lee Varra-Nelson (Fort Collins class) lvarranelson@q.com 970-407-9744 or 970-215-4949
More informationThe working roundtable was conducted through two interdisciplinary panel sessions:
As advancements in technology enhance productivity, develop new businesses and enhance economic growth, malicious actors continue to advance as well, seeking to exploit technology for any number of criminal
More informationCertified Enterprise Risk Professional (CERP) Test Content Outline
Certified Enterprise Risk Professional (CERP) Test Content Outline SECTION 1: RISK GOVERNANCE Domain 1: Board and Senior Management Oversight (8%) Task 1: Provide relevant, timely, and accurate information
More informationRisk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY
NHS Education for Scotland RISK MANAGEMENT STRATEGY January 2016 1 Contents 1. NES STATEMENT ON RISK MANAGEMENT 2 RISK MANAGEMENT STRATEGY 3 RISK MANAGEMENT STRUCTURES 4 RISK MANAGEMENT PROCESSES 5 RISK
More informationThe PRINCE2 Practitioner Examination. Sample Paper TR. Answers and rationales
The PRINCE2 Practitioner Examination Sample Paper TR Answers and rationales For exam paper: EN_P2_PRAC_2017_SampleTR_QuestionBk_v1.0 Qu Correct Syll Rationale answer topic 1 A 1.1a a) Correct. PRINCE2
More informationLCS International, Inc. PMP Review. Chapter 6 Risk Planning. Presented by David J. Lanners, MBA, PMP
PMP Review Chapter 6 Risk Planning Presented by David J. Lanners, MBA, PMP These slides are intended to be used only in settings where each viewer has an original copy of the Sybex PMP Study Guide book.
More informationManaging Project Risk DHY
Managing Project Risk DHY01 0407 Copyright ESI International April 2007 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
More informationM_o_R (2011) Foundation EN exam prep questions
M_o_R (2011) Foundation EN exam prep questions 1. It is a responsibility of Senior Team: a) Ensures that appropriate governance and internal controls are in place b) Monitors and acts on escalated risks
More informationHIPAA SECURITY RISK ANALYSIS
HIPAA SECURITY RISK ANALYSIS WEDI National Conference May 18, 2004 Presented by: Lesley Berkeyheiser, The Clayton Group Andrew H. Melczer, Ph.D., ISMS Presentation Overview Key Security Points Review Risk
More informationSOLID GROUP INC. ENTERPRISE RISK MANAGEMENT POLICY
SOLID GROUP INC. ENTERPRISE RISK MANAGEMENT POLICY SECTION 1. PURPOSE This Policy establishes the standards, processes and accountability structure to identify, assess, prioritize and manage key risk exposures
More informationRunning Head: Information Security Risk Assessment Methods, Frameworks and Guidelines
Running Head: Information Security Risk Assessment Methods, Frameworks and Guidelines Information Security Risk Assessment Methods, Frameworks and Guidelines Michael Haythorn East Carolina University Abstract
More informationOWN RISK AND SOLVENCY ASSESSMENT. ERM Seminar Compliance All Dealing from the same deck now
OWN RISK AND SOLVENCY ASSESSMENT ERM Seminar - 2014 Compliance All Dealing from the same deck now Own and Solvency Assessment! Originated in the UK about 10 years ago Now a global insurance regulatory
More informationChapter 7: Risk. Incorporating risk management. What is risk and risk management?
Chapter 7: Risk Incorporating risk management A key element that agencies must consider and seamlessly integrate into the TAM framework is risk management. Risk is defined as the positive or negative effects
More informationHEALTHCARE INDUSTRY SESSION CYBER IND 011
HEALTHCARE INDUSTRY SESSION CYBER IND 011 Speakers: Jody Westby, Chief Executive Officer, Global Cyber Risk René Siemens, Partner, Covington & Burling LLP Brent Rieth, Senior Vice President and Team Leader,
More informationDefining a Risk Appetite That Works
SESSION ID: CXO-W10 Defining a Risk Appetite That Works Jack Jones Chairman - FAIR Institute What we ll cover Appetite vs. tolerance what s the diff? Why bother? Comparing risk appetite definitions An
More informationRisk Management Framework
Risk Management Framework Anglican Church, Diocese of Perth November 2015 Final ( Table of Contents Introduction... 1 Risk Management Policy... 2 Purpose... 2 Policy... 2 Definitions (from AS/NZS ISO 31000:2009)...
More informationRISK MANAGEMENT FRAMEWORK
RISK MANAGEMENT FRAMEWORK 1. INTRODUCTION (Company) acknowledges that risk is inherent in its business. The Company faces a broad range of risks as a listed entertainment organisation. The Company s risk
More informationDEBUNKING MYTHS FOR CYBER INSURANCE
SESSION ID: GRC-F02 DEBUNKING MYTHS FOR CYBER INSURANCE Robert Jones Global Head of Financial Lines Specialty Claims AIG Garin Pace Cyber Product Leader AIG @Garin_Pace Introduction What Is Cyber Insurance?
More informationHow Internal Audit Can Help Promote Effective ERM
How Internal Audit Can Help Promote Effective ERM Alan N. Siegfried, MBA, CPA, CIA, CISA, CBA, CRMA, CFSA, CCSA, CITP, CGMA, CSP June 18, 2014 Alan Siegfried Professional Bio Principal and Managing Director,
More informationRisk Assessment Mitigation Phase Risk Mitigation Plan Lessons Learned (RAMP B) November 30, 2016
Risk Assessment Mitigation Phase Risk Mitigation Plan Lessons Learned (RAMP B) November 30, 2016 #310403 Risk Management Framework Consistent with the historic commitment of Southern California Gas Company
More informationREGULATORY GUIDELINE Liquidity Risk Management Principles TABLE OF CONTENTS. I. Introduction II. Purpose and Scope III. Principles...
REGULATORY GUIDELINE Liquidity Risk Management Principles SYSTEM COMMUNICATION NUMBER Guideline 2015-02 ISSUE DATE June 2015 TABLE OF CONTENTS I. Introduction... 1 II. Purpose and Scope... 1 III. Principles...
More informationAn Overview of ISO/IEC 27001:2013 Implementation
0 An Overview of ISO/IEC 27001:2013 Implementation Exploring the drivers and benefits of using a recognized framework to build a strong information security management capability 1 Introduction Steve Crutchley
More informationManaging Project Risks. Dr. Eldon R. Larsen, Marshall University Mr. Ryland W. Musick, West Virginia Division of Highways
Managing Project Risks Dr. Eldon R. Larsen, Marshall University Mr. Ryland W. Musick, West Virginia Division of Highways Abstract Nearly all projects have risks, both known and unknown. Appropriately managing
More informationPolicy Number: 040 Risk Management August 2018
Policy Number: 040 Risk Management August 2018 Policy Details 1. Owner Manager, Business Services 2. Compliance is required by Staff, contractors and volunteers 3. Approved by The Commissioner 4. Date
More informationRisk Management Plan for the <Project Name> Prepared by: Title: Address: Phone: Last revised:
for the Prepared by: Title: Address: Phone: E-mail: Last revised: Document Information Project Name: Prepared By: Title: Reviewed By: Document Version No: Document Version Date: Review Date:
More informationGuidance Note: Stress Testing Credit Unions with Assets Greater than $500 million. May Ce document est également disponible en français.
Guidance Note: Stress Testing Credit Unions with Assets Greater than $500 million May 2017 Ce document est également disponible en français. Applicability This Guidance Note is for use by all credit unions
More informationEnergize Your Enterprise Risk Management
Energize Your Enterprise Risk Management Presented By Mark Caiazzo, CISA, CISM, CRISC Tammy Michaud, CPA May 15, 2017 Reviewed: Agenda Enterprise Risk Management Defined Benefits of ERM Key Components
More informationRisk Management at Central Bank of Nepal
Risk Management at Central Bank of Nepal A. Introduction to Supervisory Risk Management Framework in Banks Nepal Rastra Bank(NRB) Act, 2058, section 35 (a) requires the NRB management is to design and
More informationCyber COPE. Transforming Cyber Underwriting by Russ Cohen
Cyber COPE Transforming Cyber Underwriting by Russ Cohen Business Descriptor How tall is your office building? How close is the nearest fire hydrant? Does the building have an alarm system? Insurance companies
More informationCybersecurity Insurance: New Risks and New Challenges
SESSION ID: SDS1-F01 Cybersecurity Insurance: New Risks and New Challenges Mark Weatherford Chief Cybersecurity Strategist varmour @marktw The cybersecurity market in the Asia Pacific region contributes
More informationProtecting Your Clients from a DATA DISASTER
Protecting Your Clients from a DATA DISASTER Disaster can strike at any time without warning. Each year natural disasters such as floods, hurricanes, tornadoes and wildfires affect thousands of businesses,
More informationEnterprise Risk Management Sources. Universe. Tolerance. Appetite
Sources. Universe. Tolerance. Appetite Presentation Made at the ICPAK ERM Conference Wednesday, 20 th March 2013 Hilton Hotel, Nairobi Kenya Jona Owitti, CISA (jona.owitti@yahoo.com) Membership Director
More informationApplying Risk-based Decision-making Methods/Tools to U.S. Navy Antiterrorism Capabilities
Applying Risk-based Decision-making Methods/Tools to U.S. Navy Antiterrorism Capabilities Mr. Charles Mitchell ABSG Consulting Inc. Alexandria, VA (703) 519-6387 cmitchell@absconsulting.com Commander Chris
More informationENTERPRISE RISK MANAGEMENT Framework
STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES ENTERPRISE RISK MANAGEMENT Framework January 2018 Ce document est également disponible en français. Notice This document is intended as a reference tool
More informationInformation Security Risk Management
Information Security Risk Management Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net
More informationGUIDELINE ON ENTERPRISE RISK MANAGEMENT
GUIDELINE ON ENTERPRISE RISK MANAGEMENT Insurance Authority Table of Contents Page 1. Introduction 1 2. Application 2 3. Overview of Enterprise Risk Management (ERM) Framework and 4 General Requirements
More information7 STEPS TO BUILD A GRC FRAMEWORK FOR BUSINESS RISK MANAGEMENT BUSINESS-DRIVEN SECURITY SOLUTIONS
7 STEPS TO BUILD A GRC FRAMEWORK FOR BUSINESS RISK MANAGEMENT BUSINESS-DRIVEN SECURITY SOLUTIONS TO MANAGE INFORMATION RISK AND KEEP YOUR ORGANIZATION MOVING FORWARD, YOU NEED A SOLID STRATEGY AND A GOOD
More informationRisk Management Framework. Group Risk Management Version 2
Group Risk Management Version 2 RISK MANAGEMENT FRAMEWORK Purpose The purpose of this document is to summarise the framework which Service Stream adopts to manage risk throughout the Group. Overview The
More informationCyber-risk and cyber-controls:
Cyber-risk and cyber-controls: 1 Insurance alone is not enough Cyber-risk has become one of the most significant topics in boardrooms around the world. The threat is indeed, very real. Consequently, in
More informationRisk Management Policy
Risk Management Policy May 2018 Contents 1.0 Purpose... 3 2.0 Scope... 3 3.0 Risk appetite... 3 4.0 Risk management process... 4 5.0 Measuring success... 7 6.0 Review of policy... 7 Appendix A Definitions
More information2016 Risk Practices Survey
Strong Board. Strong Bank. 2016 Risk Practices Survey MAR 2016 RESEARCH Sponsored by: 2 2016 RISK PRACTICES SURVEY TABLE OF CONTENTS Executive Summary 3 Risk Governance & Oversight 4 Risk Culture & Infrastructure
More informationERM at skyguide and interface with BCM
ERM at skyguide and interface with BCM - Fachveranstaltung Netzwerk Risikomanagement - Aarburg, 8 September 2017 - J. Schulte, Enterprise Risk Manager Content overview of skyguide company activities and
More information