Three Lies of Defese to Ehace Techology Risk Maagemet Maturity Abstract Icreasig reliace o techology has added to high complexity of the risk ladscape, makig risk maagemet ad goverace a huge challege for seior maagemet ad boards. Eterprises therefore eed to adopt a holistic risk maagemet approach to ehace the maturity of their techology risk maagemet capabilities. The Three Lies of Defese (LoD) model is ofte used to streamlie the risk maagemet process, which results i effective risk goverace, maagemet, ad assurace.
The Need for Ehaced Techology Risk Maagemet Maturity The Techology Risk Maagemet (TRM) capability of a eterprise idicates its ability to effectively execute core risk maagemet processes, icludig commuicatio ad cosultatio, cotext establishmet, risk ideti catio, risk aalysis, risk evaluatio, risk treatmet, ad moitorig ad review. Accordig to research coducted by the Eterprise Risk Maagemet (ERM) Iitiative at North Carolia State Uiversity, oly 25% of the orgaizatios surveyed claimed to have complete formal 1 ERM process i place. This implies a sigi cat opportuity for improvemet of ERM processes i most eterprises. Eterprises today operate i a regulated ad complex busiess eviromet ad face several challeges related to risk maagemet: No eterprise-wide risk maagemet framework or stadard is i place. Boards ad seior maagemet eed to be ivolved i techology risk goverace i terms of establishig security ad privacy related roles ad resposibilities. Risk maagemet commuicatio with busiess uits is geerally limited to compliace issues. Third-party risks may ot be adequately assessed or tracked. Gaps i policies, processes, ad cotrols may ot be ideti ed. There is ofte o overarchig Goverace, Risk, ad Compliace program, resultig i duplicatio of effort, limited visibility of policy requiremets exceptios, ad lack of trasparecy o critical depedecies. A Holistic Approach Based o Systems Thikig Perspective A risk maagemet system cosists of the risk maagemet framework ad processes that are developed based o regulatory requiremets ad stadards as well as iputs from the exteral eviromet. The Systems Thikig approach is recommeded to look at the iterdepedece betwee the compoets ivolved i each risk maagemet process ad lear how they ca work together to ehace risk maagemet maturity.
Risk Eabled Orgaizatio Exteral Eviromet Political factors Fiacial factors Social factors Techical cocers Icreasig RM maturity Third Lie of Defese Iteral Audit Secod Lie of Defese Risk Fuctio First Lie of Defese Busiess Lies Compliace Regulatios, Legislatio, ad Stadards Basel III Corporate Goverace Rules Sarbaes Oxley Act COSO ISO 31000 Risk Maagemet Framework ad Processes Eablers of Eterprise Risk Maagemet The Three Lies of Defese model ca be used as a primary meas to structure the roles ad resposibilities for risk-related decisio makig ad cotrol to achieve effective risk goverace, maagemet, ad assurace. A close workig relatioship ad proper commuicatio betwee the three lies is crucial for effective fuctioig of the model. First Lie of Defese: Lies of Busiess The PAS 200:2011 stadard has suggested the 'PESTEELO' tool methodology for the 2 purpose. Each letter of the acroym stads for a factor: P- Political factors E- Ecoomic or acial factors S- Social factors T- Techical factors ad issues E- Evirometal factors E- Ethical factors L- Legal or regulatory factors O- Orgaizatioal factors Each lie of busiess eeds to be vigilat about risk maagemet through these activities: Esure Situatioal Awareess: This etails kowledge of evets, as well as beig able to model the implicatios ad project curret evets to predict what might happe. Iput should be gathered from all the fuctios i the busiess uit, ad all relevat chaels eed to be moitored. Perform Horizo Scaig: This ivolves goig beyod mere situatioal awareess to perform a systematic examiatio of the iteral ad exteral eviromet for weakesses ad gaps, as well as of ew ad emergig risks that have the potetial to affect the orgaizatio's performace. Elimiate Sigle Poits of Failure: The products ad services of a eterprise are delivered through a coordiated system cosistig of six types of orgaizatioal resources: people, techology, iformatio, facilities, supplies, ad stakeholders. Vulerabilities i ay of these might make the resource a Sigle Poit of Failure (SPoF) withi the system.
Embed Risk Maagemet ito Orgaizatioal Culture: Seior maagemet should esure that risk maagemet processes are itegrated ito day-to-day busiess activities ad orgaizatioal culture, ad ot see as a separate activity. The three key meas of buildig a risk-aware culture are seior maagemet support ad ivolvemet, creatio of risk maagemet check poits, ad developmet of risk maagemet competece through traiig ad awareess programs. Secod Lie of Defese: Idepedet Risk Fuctio A idepedet corporate risk fuctio eeds to promote risk awareess ad esure risk mitigatio across the eterprise. Establish Risk Maagemet Accoutability: Risk maagemet roles should be de ed, right from the board to the fuctioal level, ad accoutabilities assiged at strategic, tactical, ad operatioal levels. Itegrate Security, Busiess Cotiuity, ad Compliace Programs with Risk Maagemet: Most eterprises have specialized busiess uits for security, IT service maagemet, busiess cotiuity, compliace, ad risk maagemet. Each of these uits have their ow policies, stadards, operatig procedures, ad supportig tools, which results i duplicatio of effort ad compliace co icts. Desig ad Implemet Leadig Risk Idicators: Key Risk Idicators (KRIs) are metrics used by orgaizatios to provide a early sigal of icreasig risk exposures i 3 various areas of the eterprise. A key cosideratio i de ig a leadig risk idicator is to thik through the chai of evets leadig to the loss ad ucover the root cause. Egage Stakeholders Effectively: Stakeholders' risk perceptios are drive by their eeds ad cocers. These factors should be take ito cosideratio through the cotiuous process of commuicatio ad cosultatio, both before ad after risk decisios are made. Esure Cotiual Improvemet: Maagemet should drive cotiual process improvemets through the risk maagemet policy, risk maagemet performace review, iteral audits, idepedet review of risk maagemet processes, as well as frequet commuicatio ad maagemet review.
Automate Risk Maagemet Processes: Automatio allows eterprises to idetify cotrol issues i real time with automatic alerts ad remediatio, aggregate risks, provide a sigle view of orgaizatioal risks to seior maagemet, ad ehace audit ef ciecies. Third Lie of Defese: Iteral Audit Two measures help the Iteral Audit fuctio provide a effective risk assurace: Adopt a Risk-Based Approach to Auditig: Ofte, audits are udertake for compliace purposes, ad do ot iclude aalysis of the uderlyig root causes of the audit digs, as well as their implicatios. Audits, whether iteral or exteral, should adopt a risk-based approach to ucover the root causes of audit digs ad facilitate plaig of corrective ad prevetive actios. Lik Audit Plaig with Risk Maagemet Iitiatives: The orgaizatio's aual audit caledar should alig with other plaed iitiatives withi the orgaizatio. For istace, a risk maagemet iitiative ca be followed by a audit, so that the eterprise ca obtai idepedet assurace of the effectiveess of the risk maagemet iitiative. Robust risk maagemet framework ad cost-effective risk mitigatio measures helped a govermet orgaizatio i Europe achieve a higher risk maagemet maturity level with reduced residual cyber ad data privacy risk. It also esured smooth ad cotiuous operatios eve i the evet of busiess iterruptios. The compay also achieved ISO 27001 accreditatio well withi the madated time. Coclusio With icreasig pressure from govermets ad regulatory bodies o ehacig risk maagemet oversight, eterprises eed to ivest i advacig the maturity of their techology risk maagemet capabilities. High risk maagemet maturity ot oly helps reduce the frequecy of risk evets, but also facilitates smooth busiess operatios with icreasig returs. Close collaboratio amog the Three Lies of Defese helps eterprises improve their risk maagemet capability maturity, create a risk aware culture, ad make the eterprise risk-eabled. Refereces [1] NC State Uiversity, 2016 Report o The State of Risk Oversight: A Overview of Eterprise Risk Maagemet Practices, April 2016, accessed November 2016, https://erm.csu.edu/az/erm/i/cha/library/aicpa_erm_research_study_2016.pdf [2] The British Stadards Istitute, PAS 200:2011, Crisis maagemet Guidace ad good practice, September 2011 [3] Committee of Sposorig Orgaizatios of the Treadway Commissio, Developig Key Risk Idicators to Stregthe Eterprise Risk Maagemet, December 2010, accessed May 2016, http://www.coso.org/documets/cosokripaperfull- alforwebpostigdec110_000.pdf
About The Authors Rama Ligeswara Satyaarayaa Tammieedi Satya TR heads the Ceter of Excellece for Fraud Maagemet ad Digital Foresics withi the Eterprise Security ad Risk Maagemet busiess uit of TCS. He has 30 years of overall IT experiece, icludig 14 years i GRC cosultig. Cotact Visit TCS Eterprise Security ad Risk Maagemet services uit page for more iformatio Email: Global.esrm@tcs.com Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/pages/feed.aspx?f=w Feedburer: http://feeds2.feedburer.com/tcswhitepapers About Tata Cosultacy Services Ltd (TCS) Tata Cosultacy Services is a IT services, cosultig ad busiess solutios orgaizatio that delivers real results to global busiess, esurig a level of certaity o other firm ca match. TCS offers a cosultig-led, itegrated portfolio of IT ad IT-eabled, ifrastructure, egieerig ad assurace services. This is TM delivered through its uique Global Network Delivery Model, recogized as the bechmark of excellece i software developmet. A part of the Tata Group, Idia s largest idustrial coglomerate, TCS has a global footprit ad is listed o the Natioal Stock Exchage ad Bombay Stock Exchage i Idia. For more iformatio, visit us at www.tcs.com All cotet / iformatio preset here is the exclusive property of Tata Cosultacy Services Limited (TCS). The cotet / iformatio cotaied here is correct at the time of publishig. No material from here may be copied, modified, reproduced, republished, uploaded, trasmitted, posted or distributed i ay form without prior writte permissio from TCS. Uauthorized use of the cotet / iformatio appearig here may violate copyright, trademark ad other applicable laws, ad could result i crimial or civil pealties. Copyright 2016 Tata Cosultacy Services Limited TCS Desig Services I M I 12 I 16