Reduce IT Risk Through Improved Management and Planning 10-13-15

Gary Alterson

Director Risk and Advisory ServicesNeohapsis

Reduce IT Risk Through Improved Management and Planning

2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

A lesson from ABC’s Shark Tank

Introduction


Gary Alterson

Director, Risk and Advisory Services, Neohapsis

[email protected]

About Me


• Set the Context• The Big Picture • Engaging Decision Makers• Scoping the Program• Building a Common Language

Agenda


• International Financial Services Firms• International Airline• National Retailer

Case Studies


Setting the Context


Risk defined – anything that has the potential to keep you from achieving your business objectives

• Dynamic• Temporal• Relative• Measurable• Impactful• Contributory

Defining Risk


Identifies and manages potential events in order to provide reasonable assurance in achieving organizational objectives.

• Process• Every level• Strategy-Setting• Portfolio View• Manage events within appetite• Assurance• Achievement

Enterprise Risk Management


IT risk is a subset of Enterprise Risk Management focused on the unique challenges of managing technology.

• Availability• Access• Accuracy • Alignment• Agility • Efficiency

IT Risk Management


Sample IT Risk Areas

Alignment• Integrated Strategy• Adequate Investment

Agility• Technology Flexibility• Demand

Management

Efficiency• Procedural Friction• Optimized Resource

Usage

Availability• System Performance• BCP/DR Alignment

Access• System Security• Mobile Access

Accuracy• Error Identification• Employee

Applications


Why Risk Management

Decision Support

Competitive Advantage

Innovation

Business Integration

Cost Efficiency

Reactive Risk Management

“ROI”

Compliance

Strategic Risk Management

Operational Risk Management


IT Risk Supports ERM

EnterpriseRisk

OperationalRisk

ITRisk


Is this your IT Risk Management?

Pause


The Big Picture


• Is IT Risk Management Used Strategically Within Your Business?

Quick Poll


IT Risk as Strategic Process


Definition of culture: the set of shared attitudes, values, goals, and practices that

characterizes an institution or organization

the set of values, conventions, or social practices associated with a particular field, activity, or societal characteristic

A Note About “Risk Culture”


Path to build a risk culture:

• Set “Tone at the Top”

• Build Common Practice

• Hold management and staff accountable

• Give it Time

Establishing Culture

Accountability

Framework and Process

Understanding (Category / Scope)

Language

Time

“Tone at the Top”Set Shared Purpose

Policy

Common Practice


Engaging Decision Makers


• Who can accept risk?

Quick Discussion


• Delegated decision making – Not every decision is made at the top

• Powers Reserved – Which decisions are reserved for what people

Delegation and Powers Reserved


Sample Powers Reserved


Establishing Oversight and Decision Making Structure


Example

IT Risk Steering Committee

Operational Risk Committee BU Risk CommitteesCompliance Council

Business Risk Committee of the

Board


Example 1

• Op Risk

• BU Risk Officers

• IT Leadership

• IT Risk

• Compliance

• Legal

• Audit

• HR

Example 2

• CRO

• CIO

• IT Risk

• Legal

• HR

• Communications

• Compliance

• Business Unit Reps

Who ParticipatesExample 3

• CIO

• Risk

• Audit

• BU CEOs


Right Level of Content

Business

Decisions Technology

Choices


Data needed to make business decisions• Emerging Threats

• KRIs and KPIs

• Exposure vs. Appetite

• Losses

• Status on Top Risks

Additional Content


• Management Feedback

• Standard Businesso Regular reports and Metrics

• New Businesso Items for Management Action or Decision

• Continuing Businesso Items for Management Monitoring

• Escalation

High Level Agenda


• Right Decisions by Right People

• Quicker Decisions

• Increased Business Alignment

• Meaningful Risk Dialog

• Helps Establish Culture

Outcomes of Good Decision Structure


• Risk Appetite• Risk Policy

Additional Considerations


What is risk appetite• Risk Appetite is defined the

level and nature of risk exposure that the Board of considers acceptable

Why is it important• Establishes tolerances and

thresholds

• Clear boundaries

• Prioritization

• Enables portfolio view

Risk Appetite


Risk Appetite vs. Risk Tolerance

Risk Appetite•Establishes aggregate level of risk acceptable by board

•Strategic•Relates to business model and overall strategy

Risk Tolerance•Acceptable level of risk specific to an objective

•Tactical•Variable


Establishes and communicates expectations concerning:• Roles and Responsibilities• Governance• Process• Risk Appetite and Tolerance• Exceptions and Exception Management• Risk Monitoring

Risk Policy



Pause


Scoping the Program


• Everything

• Limited Problem

• Information Risk vs. IT Risk

What’s the universe of risk in scope?

What’s the Scope of Your Program?


What’s a Risk Universe?

Classification systemStatement of Scope

Why is it important?

Sets BoundariesEstablishes Consistent Categorization and FrameworkEnables Easy AggregationFacilitates Completeness

Risk Universe


Sample ERM Risk Universe


Sample IT Risk Universe

Agility Availability

Alignment

Access Accuracy

Efficiency

Strategy / Enterprise Architecture

Product Flaws

Legal/Regulatory Compliance

Accidental Damage

Theft

Data Corruption

Staff (FTE/Skills)

Software Back Doors

Malicious Software

Denial of Service

External Factors (Power/Communications)

Environmental Factors

Identity Theft

Information Disposal

Employee Fraud

Demand Management

Time To Market

System Compatibility

EnvironmentComplexity

Supplier Response

Procedural Efficiency

Requirements Management

Optimal Resource Usage

Benefit Realization

System Capacity

System Performance

System Resiliency

BCP/DR Planning

System , Network, and Data Access

Unmanaged Dependencies

Network Resiliency

Incident Response

Unauthorized Access Detection

Application/System Vulnerability

TechnologyUsage

Error Detection

Change Control

ReconciliationSegregation Of Duties

End User Applications

Technology Obsolescence

Data Model

Emerging Technology

3rd Party Access

Software Quality

Asset Management / Licensing

Audit/Replay Capability

Knowledge Transfer / Training

Documentation

Standard Configurations

3rd Party / VendorManagement

Project Capacity

Maintainability


Sample IT Risk Universe


• What are the “must haves” for a risk universe?

Discussion


Building a Common Language


Building a Risk Taxonomy


Sample Probability Descriptors


Sample Impact Descriptors


Second Sample


Simple risk model enables comparisons between risks and against tolerances.

Building a Simple Risk Model

Risk Impact

Risk Probability


• What is the tolerable level of risk (or variability) in order to reach an objective?

• Adjusted based on context, level of risk, or overall risk appetite.

Risk Tolerance Drives Decision Making


“Simple value at risk” model using numerical criteria.

Multiple options to fine tune model.

Enhancing the Risk ModelRisk = Impact * Probability

Risk Impact

Risk Probability


Quantitative Risk Modeling Example


Building a Risk Taxonomy for Impact

Exercise



Final Pause


A Strong Foundation for IT Risk Management including:

• Strategic Process

• Right Decisions by Right People

• Scoping and Aggregation Framework

• Common Taxonomy and Model

Help build a risk culture and build a transformative IT risk program

Summary


Customer confidencemaintained, IP protected

Business results morereliable

Capital released for investment

Business responsivenessincreased

Business goals attainedmore frequently

IT Risk is Transformative

IT security risksmanaged

IT stability risksmanaged

IT efficiency risksmanaged

IT agility risksmanaged

IT alignment risksmanaged IT as a

differentiator, delivering

competitive advantage and

driving significant

business value.


Gary AltersonDirector, Risk and Advisory Services, [email protected]

Thank You!


Reduce IT Risk Through Improved Management and Planning

Documents

Reduce IT Risk Through Improved Management and Planning 10-13-15