Embed Size (px)
Citation preview
A Holistic Approach A Holistic Approach
to Convergence of to Convergence of
Business Resiliency and Business Resiliency and
Operational RiskOperational Risk
Prepared & Presented by:
Marc Sokol, Chief Security Officer & Head of Operational Risk
Debra Zoppy, Risk & Resiliency Management Services
Our StructureOur Structure
GCSOServices & Leadershi
p
Operational Risk
Assessments, Management & Governance
Physical Security and
Access Control
Information Risk
Management (Information Security & Privacy)
Corporate Policies and Standards
Crisis & Emergency
ManagementLeadership
Business Continuity
and Enterprise Resiliency
Disaster Recovery
Governance
Internal and External Threat
Intelligence(Cyber & Physical)
Awareness and
Education
Investigation and
Prosecution
Workplace and Life Safety
Protection Services & On-site Incident
Responders
Third Party Risk
Management
Security and Privacy Breach
Response Team
Business Continuity Committee
Investigations and Forensics
Information Security
Governance Council
Workspace Safety
Committee
Corporate Crisis Assessment
Team
Operational Risk
Management Subcommittee
Leadership, Governance,
Execution
Leadership, Governance,
Execution
RISK & RESILIENCY OPERATIONS CENTER (RROC)RISK & RESILIENCY OPERATIONS CENTER (RROC)
Business Resiliency Planning
Business Resiliency Planning
GovernanceGovernanceStrategy
DevelopmentStrategy
Development
TestingTestingLiaison to
Facilities and Technology
Liaison to Facilities and Technology
Recovery Vendor
Relations
Recovery Vendor
RelationsLogisticsLogistics
Human CapitalHuman CapitalAWS Site
ManagementAWS Site
Management
Lodging and Transportation
for Test
Lodging and Transportation
for Test
Intelligence, Threat
Assessment, Risk Mitigation
Intelligence, Threat
Assessment, Risk Mitigation
Enterprise Priorities
Enterprise Priorities
Operational Risk
Operational Risk
Assess Key Operational
Risks
Assess Key Operational
Risks
Third Parties Risk
Assessment & Inventory
Third Parties Risk
Assessment & Inventory
Risk Register & Aggregate Tracking & Monitoring
Risk Register & Aggregate Tracking & Monitoring
Day to DayDay to Day
CRISIS COMMAND CENTER (C3)CRISIS COMMAND CENTER (C3)
Business Resiliency Planning
Business Resiliency Planning
Crisis Management
Crisis Management
Strategy Management
and Implementation
Strategy Management
and Implementation
Liaison to Facilities and Technology
Liaison to Facilities and Technology
Recovery Vendor
Relations
Recovery Vendor
Relations
LogisticsLogistics
Lodging & Transportation
Lodging & Transportation
Office ServicesOffice Services
Technology AcquisitionTechnology Acquisition
Facility and Furniture
Acquisition
Facility and Furniture
Acquisition
Intelligence, Threat
Assessment, Damage
Assessment
Intelligence, Threat
Assessment, Damage
Assessment
Enterprise Priorities
Enterprise Priorities
Resiliency OperationsResiliency Operations
Policy & Executive Support &
Liaison
Policy & Executive Support &
Liaison
DeclarationDeclaration
Crisis Communications
Crisis Communications
Human Resources,
Finance, Legal
Human Resources,
Finance, Legal
Employee Well Being
Employee Well Being
Legal / Regulatory
Legal / Regulatory
Crisis Expense Tracking
Crisis Expense Tracking
Crisis ModeCrisis Mode
DefinitionsDefinitions
holistic• the view that a whole system of beliefs must be analyzed rather
than simply its individual components
convergence• tending or moving toward one point or one another - coming
together and uniting in a common interest or focus
Operational Risk UniverseOperational Risk Universe
6
Key Person
Accuracy
and Integrity
Internal Theft
or FraudEmployment
Practice Culture
Workplace
Safety
Data Center
Disaster/Data
Recovery
Business Continuity
Planning
Communications
Interface
Network
Software
Security
Hardware
Communications
Infrastructure
Financial
Controls
Project Mgmt
Customer Svc
& Interaction
Data Input
Financial
Reporting
Legal & Regulatory
Information Mgmt
Proc & Prod. Mgmt
External Theft
& FraudThird Party
Brand /
Reputation
Regulatory
Privacy
Our ApproachOur Approach
Holistic
• Leverages work already done
• Emphasizes the importance of the whole by leveraging the value of
the components
AUDIT
BUSINESSCONTINUITY
DISASTERRECOVERY
FINANCIAL
OPERATIONAL
ENTERPRISE
Business Continuity/Disaster RecoveryBusiness Continuity/Disaster Recovery
Provides a strong foundation
• Recovery of Staff and Business Operations
• Identifies and prioritizes − Business processes
− Applications & Systems� Defines recovery time objective (data availability)
� Defines recover point objectives (data loss tolerance)
− 3rd party relationships
− Technology & equipment
− Business interdependencies
− Business impacts
(e.g., monetary, customer, regulatory, financial, reputational)
• Alternate Work Strategies
Our Approach to Operational RiskOur Approach to Operational Risk
• Designed to provide:
− Consistent methodology for assessing Operational Risk
− Holistic, yet flexible approach to assessing and managing operational risk
− Deliver SMAART (Specific, Meaningful, Accurate, Actionable, Reliable, Timely)
data
− Comprehensive view to include people, process, technology & environment
− Enables benchmarking, heat maps, and prioritization via consistent analysis
− Supports better decision making for greater effectiveness, business accountability, governance, management, and ownership of key operational risk
− Measures residual risk against risk appetite and company tolerance
− Facilitates capability for refinements to capital requirements
Our Approach to Operational RiskOur Approach to Operational Risk
• Focuses on consequences of operational risks−Business Interruption
−Regulatory / Compliance & associated Penalties
− Legal Liability
−Reputational Harm
−Privacy (data loss) & Security (logical & physical
breach)
−Errors/Omissions
−Fraud
− Loss or Damage to assets & Workplace Safety
−Financial Loss / Restitution (Key Financial Systems)
Operational Risk Operational Risk –– Putting the Pieces TogetherPutting the Pieces Together
Business Process
Applications
3rd Parties
Departmental Interdependencies
Leverage Business Continuity and Disaster Recovery Data
Operational Risk Operational Risk –– Putting the Pieces TogetherPutting the Pieces Together
Leverage and Collaborate with OTHER people and
sources of data captured by other areas:
Audit (e.g., SOX, MAR)Compliance
3rd Party Security& Risk
IT Security &
Application Risk
Risk Acceptance
Assess Inherent RiskAssess Inherent Risk
People
Technology
Process
Environment
Illustrate the Business ProcessIllustrate the Business Process
Assess Process ControlsAssess Process Controls
ENCRYPTION
IDS & PASSWORDS
SEPARATION OF DUTIES
SECURE ACCESS
FIREWALLS
IDENTYVERIFICATION
BACKGROUND CHECKS
MAINTENANCE &
OPERATIONS
Determine Residual RiskDetermine Residual Risk
Inherent Risk
Controls &Safeguards
Residual Risk
Risk Tolerance(Readiness to Bear)
RiskAppetite (Pursuit of Risk)
Convergence Convergence –– It’s a Good ThingIt’s a Good Thing
Top 10 Reasons to Converge Business Resiliency & Operational Risk
10.Not just and audit or assessment of controls
9. Cross-checks defined processes, applications, 3rd parties, etc. and
criticality
8. Challenges and validates recovery time and recovery point objectives
7. Confirms consequences and impacts of downtime (monetary, regulatory,
reputational, customer, good-will, etc.)
6. Expanded depth of knowledge and understanding business operations,
processes, and challenges
5. Promotes stronger, smarter, flexible and dynamic risk mitigation solutions
4. Aligns and standardizes terminology and definitions used to identify risks
3. Leverages information across organizations (BC/DR, IT, Audit,
Compliance, etc.)
2. Opportunity for professional growth and greater visibility / partnership with
the business
1. PROVIDES A HOLISTIC VIEW OF AN ORGANIZATIONS OVERALL OPERATIONAL RISK
QuestionsQuestions
