Upload
subhajit-bhuiya
View
172
Download
0
Embed Size (px)
Citation preview
1 © Copyright 2012 EMC Corporation. All rights reserved.
Applying Enterprise Risk Management to Your Business Continuity Management Efforts Patrick Potter GRC Strategist, RSA Archer
October 10, 2013
2 © Copyright 2012 EMC Corporation. All rights reserved.
Today’s Speaker Patrick is currently a GRC Strategist for the RSA Archer organization, where he helps drive the direction of the Business Continuity and Audit Management solutions. Prior to RSA, Patrick spent over 20 years leading business continuity, internal audit, strategic planning, process improvement and related activities at Fortune 500 companies in both industry and consulting roles.
Patrick has developed a broad perspective working with analysts, partners and customers spanning such industries as financial services, higher education, manufacturing, high-tech, healthcare, and media and hospitality. He has been a speaker for the Institute of Internal Auditors, DRJ, RSA Archer Summit, Financial Executives Networking Group, Association of Continuity Planners and ISACA. Patrick has also contributed various thought leadership articles for Continuity Insights, SC Magazine, Internal Auditor Magazine and Disaster Recovery Journal.
3 © Copyright 2012 EMC Corporation. All rights reserved.
Session Abstract
Business Continuity and Disaster Recovery (BC/DR) management programs typically evaluate business criticality through performing risk assessments and business impact analyses to determine recovery priorities. But, how often do BC/DR programs coordinate their efforts with other internal enterprise risk management groups and functions? How do these groups define and measure risk?
4 © Copyright 2012 EMC Corporation. All rights reserved.
Case Study
A Fortune 100 financial services (FS) company performed over 3,000 BIAs and had as many documented Business Continuity (BC) plans. Their central BC program’s charge was to audit as many of these plans as possible based on a risk profile. The BC group had a rudimentary risk assessment process that would help them determine which BC plans to audit (i.e., go onsite, verify plans were documented and tested) versus having business process/BC plan owners self-audit through a questionnaire that the BC program would review.
The Issue: Their risk approach and criteria was not aligned with any other risk group, such as ERM or Internal Audit.
Were they focusing on the right risks?
5 © Copyright 2012 EMC Corporation. All rights reserved.
What is Risk Management?
• Many authoritative sources define risk: IS0 31000, BASEL, Regulators and Auditors
• Risk management is defined as “identifying and categorizing risks to the organization, evaluating them through online assessments and metrics, and responding with remediation or acceptance”
– Supply Chain Risk – Operational Errors
– Human Resources Risk – Fraud
– Environmental Risk – Business Continuity
– Regulatory Risk
– Information Security Risk
Operations Risk =
6 © Copyright 2012 EMC Corporation. All rights reserved.
Risk Management Objectives
Assessment
Identification
Decision Treatment
Monitoring Risk
7 © Copyright 2012 EMC Corporation. All rights reserved.
ISO 22313 Section 8.1.1 Elements of BCM
• Operational Planning and Control
• BIA and Risk Assessment
• BC Strategy
• BC Procedures
• Testing
8 © Copyright 2012 EMC Corporation. All rights reserved.
ISO 22313 Section 8.2.3 - Risk Assessment
The organization should establish a formal risk assessment process that systematically identifies, analyses and evaluates the risk of disrupting the organization’s prioritized activities and the processes, systems, information, people, assets, suppliers and other resources that support them.
9 © Copyright 2012 EMC Corporation. All rights reserved.
Business Processes
Objectives
Risk Register
Controls & Risk Transfer
Incidents & Events
Policies & Procedures
People / Org Structure
Rules & Regulations
Assets
Supply Chain
Products & Services
Risk Management is Complex
10 © Copyright 2012 EMC Corporation. All rights reserved.
Disconnected
approaches,
priorities and
thresholds
Organizational Gaps in Risk Management
IT Repositories
Business Asset
Catalog
CIO
Risk Identification
Risk Assessment
ERM
Metrics & Reporting CRO
Risk Ownership
Plan Ownership
Remediation
BC/DR
Risk Assessment
Evaluate Controls
Reporting
CCO
Control Testing
Compliance
Checklist
Reporting
COO
11 © Copyright 2012 EMC Corporation. All rights reserved.
Some Common Themes
• The level of maturity of risk programs varies greatly by industry and by company within the same industry
• Agreement on taxonomy, framework, and approach remains a challenge
• Regulated companies are under increasing pressure to demonstrate risk management capabilities
• Interest in ERMS continues to grow
• Best practices continue to evolve
13 © Copyright 2012 EMC Corporation. All rights reserved.
Understand Your Enterprise
Business
Units
• Visibility
• Collaboration
Processes
Contacts
Applications
Information
Devices Facilities
• Accountability
• Criticality
14 © Copyright 2012 EMC Corporation. All rights reserved.
Understand Your Stakeholders
• Board of Directors / Risk & Audit Committee/ Executives (All Risks) • Chief Risk Officer (All Risks) • Enterprise Risk Manger (All Risks) • Operations Risk Manager (Ops Risk within scope of how the company defines ORM) • Chief Financial / Accounting Officer (Financial Reporting Risks) • Treasurer (Market Risks) • Director of Internal Audit (All Risks & Audit Management) • Director of Corporate Compliance (Regulatory Compliance) • CIO / CISO (Info Security component of Ops Risk) • Director of Business Continuity and Disaster Recovery (Bus Continuity component) • Director of Corporate Insurance (All Ops Risks) • Chief Legal Counsel (Ops Risks focused on customer & 3rd Pty contracts, employment practices
liability, regulatory compliance, fraud) • Director Operations (All operating activities) • Physical Security Officer (Physical Security component of Ops Risk; Fraud / Investigation
Incidents) • Purchasing Director (Vendors / Service Providers)
15 © Copyright 2012 EMC Corporation. All rights reserved.
Focus Needs to Span the Organization
Strategic Partnership
IT Audits
New systems
IT Security Risk
Security Operations
Regulatory Risk
Operational Risk
Corp. Governance
Audit & Compliance
3rd Party Risk
Policy & Controls
Organizational Resiliency
New business challenges
GRC Management
Management
Board of Directors
Risk
IT Business CFO/CRO/CCO CIO/CISO
16 © Copyright 2012 EMC Corporation. All rights reserved.
Leverage Your GRC Program
Response to
Individual Mandates
Multiregulatory
Cross-Enterprise
Strategic Direction/
Competitive Advantage
Compliance
Risk Management
Performance
17 © Copyright 2012 EMC Corporation. All rights reserved.
In Summary
• Get Executive buy-in and sponsorship
• Establish common enterprise taxonomy, framework, risk assessment, and risk management approach
• Bring risk management within the GRC umbrella
• Look at risk where you can in terms of real $$$
• Focus on making more aligned risk decisions across the organization
19 © Copyright 2012 EMC Corporation. All rights reserved.
The Magic Quadrant is copyrighted 26 Aug 2013 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.
Source: Gartner Magic Quadrant for Business Continuity Management Planning Software Roberta J. Witty, John P. Morency 26 Aug. 2013
Gartner MQ for BCM Planning Software
20 © Copyright 2012 EMC Corporation. All rights reserved.
RSA Archer GRC Roadshows
Coming to a City Near You! (& they’re free) • New York Wed., Nov. 6 • Minneapolis Thurs., Nov. 14 • Boston Thurs., Nov. 21 • Atlanta Fri., Nov. 22 • Toronto Mon., Dec. 2 • Washington, DC. Thurs., Dec. 5 • San Francisco Fri., Dec. 6
Space is Limited - Register today: https://community.emc.com/docs/DOC-27671
21 © Copyright 2012 EMC Corporation. All rights reserved.
Maintain business operations with Business Continuity Management Learn More At…
www.rsa.com/grc
Download the Latest Analyst Reports
Learn more about regulatory compliance and business continuity
management Learn about RSA Archer Business
Continuity Management & Operations