Upload
valencia-jackson
View
682
Download
3
Embed Size (px)
Citation preview
Gary Alterson
Director Risk and Advisory ServicesNeohapsis
Reduce IT Risk Through Improved Management and Planning
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A lesson from ABC’s Shark Tank
Introduction
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Gary Alterson
Director, Risk and Advisory Services, Neohapsis
About Me
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Set the Context• The Big Picture • Engaging Decision Makers• Scoping the Program• Building a Common Language
Agenda
5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• International Financial Services Firms• International Airline• National Retailer
Case Studies
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Setting the Context
7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Risk defined – anything that has the potential to keep you from achieving your business objectives
• Dynamic• Temporal• Relative• Measurable• Impactful• Contributory
Defining Risk
8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Identifies and manages potential events in order to provide reasonable assurance in achieving organizational objectives.
• Process• Every level• Strategy-Setting• Portfolio View• Manage events within appetite• Assurance• Achievement
Enterprise Risk Management
9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IT risk is a subset of Enterprise Risk Management focused on the unique challenges of managing technology.
• Availability• Access• Accuracy • Alignment• Agility • Efficiency
IT Risk Management
10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sample IT Risk Areas
Alignment• Integrated Strategy• Adequate Investment
Agility• Technology Flexibility• Demand
Management
Efficiency• Procedural Friction• Optimized Resource
Usage
Availability• System Performance• BCP/DR Alignment
Access• System Security• Mobile Access
Accuracy• Error Identification• Employee
Applications
11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why Risk Management
Decision Support
Competitive Advantage
Innovation
Business Integration
Cost Efficiency
Reactive Risk Management
“ROI”
Compliance
Strategic Risk Management
Operational Risk Management
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IT Risk Supports ERM
EnterpriseRisk
OperationalRisk
ITRisk
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Is this your IT Risk Management?
Pause
14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Big Picture
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Is IT Risk Management Used Strategically Within Your Business?
Quick Poll
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IT Risk as Strategic Process
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Definition of culture: the set of shared attitudes, values, goals, and practices that
characterizes an institution or organization
the set of values, conventions, or social practices associated with a particular field, activity, or societal characteristic
A Note About “Risk Culture”
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Path to build a risk culture:
• Set “Tone at the Top”
• Build Common Practice
• Hold management and staff accountable
• Give it Time
Establishing Culture
Accountability
Framework and Process
Understanding (Category / Scope)
Language
Time
“Tone at the Top”Set Shared Purpose
Policy
Common Practice
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Engaging Decision Makers
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Who can accept risk?
Quick Discussion
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Delegated decision making – Not every decision is made at the top
• Powers Reserved – Which decisions are reserved for what people
Delegation and Powers Reserved
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sample Powers Reserved
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Establishing Oversight and Decision Making Structure
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Example
IT Risk Steering Committee
Operational Risk Committee BU Risk CommitteesCompliance Council
Business Risk Committee of the
Board
25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Example 1
• Op Risk
• BU Risk Officers
• IT Leadership
• IT Risk
• Compliance
• Legal
• Audit
• HR
Example 2
• CRO
• CIO
• IT Risk
• Legal
• HR
• Communications
• Compliance
• Business Unit Reps
Who ParticipatesExample 3
• CIO
• Risk
• Audit
• BU CEOs
26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Right Level of Content
Business
Decisions Technology
Choices
27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data needed to make business decisions• Emerging Threats
• KRIs and KPIs
• Exposure vs. Appetite
• Losses
• Status on Top Risks
Additional Content
28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Management Feedback
• Standard Businesso Regular reports and Metrics
• New Businesso Items for Management Action or Decision
• Continuing Businesso Items for Management Monitoring
• Escalation
High Level Agenda
29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Right Decisions by Right People
• Quicker Decisions
• Increased Business Alignment
• Meaningful Risk Dialog
• Helps Establish Culture
Outcomes of Good Decision Structure
30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Risk Appetite• Risk Policy
Additional Considerations
31© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is risk appetite• Risk Appetite is defined the
level and nature of risk exposure that the Board of considers acceptable
Why is it important• Establishes tolerances and
thresholds
• Clear boundaries
• Prioritization
• Enables portfolio view
Risk Appetite
32© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Risk Appetite vs. Risk Tolerance
Risk Appetite•Establishes aggregate level of risk acceptable by board
•Strategic•Relates to business model and overall strategy
Risk Tolerance•Acceptable level of risk specific to an objective
•Tactical•Variable
33© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Establishes and communicates expectations concerning:• Roles and Responsibilities• Governance• Process• Risk Appetite and Tolerance• Exceptions and Exception Management• Risk Monitoring
Risk Policy
34© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Is this your IT Risk Management?
Pause
35© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Scoping the Program
36© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Everything
• Limited Problem
• Information Risk vs. IT Risk
What’s the universe of risk in scope?
What’s the Scope of Your Program?
37© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What’s a Risk Universe?
Classification systemStatement of Scope
Why is it important?
Sets BoundariesEstablishes Consistent Categorization and FrameworkEnables Easy AggregationFacilitates Completeness
Risk Universe
38© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sample ERM Risk Universe
39© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sample IT Risk Universe
Agility Availability
Alignment
Access Accuracy
Efficiency
Strategy / Enterprise Architecture
Product Flaws
Legal/Regulatory Compliance
Accidental Damage
Theft
Data Corruption
Staff (FTE/Skills)
Software Back Doors
Malicious Software
Denial of Service
External Factors (Power/Communications)
Environmental Factors
Identity Theft
Information Disposal
Employee Fraud
Demand Management
Time To Market
System Compatibility
EnvironmentComplexity
Supplier Response
Procedural Efficiency
Requirements Management
Optimal Resource Usage
Benefit Realization
System Capacity
System Performance
System Resiliency
BCP/DR Planning
System , Network, and Data Access
Unmanaged Dependencies
Network Resiliency
Incident Response
Unauthorized Access Detection
Application/System Vulnerability
TechnologyUsage
Error Detection
Change Control
ReconciliationSegregation Of Duties
End User Applications
Technology Obsolescence
Data Model
Emerging Technology
3rd Party Access
Software Quality
Asset Management / Licensing
Audit/Replay Capability
Knowledge Transfer / Training
Documentation
Standard Configurations
3rd Party / VendorManagement
Project Capacity
Maintainability
40© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sample IT Risk Universe
41© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• What are the “must haves” for a risk universe?
Discussion
42© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Building a Common Language
43© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Building a Risk Taxonomy
44© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sample Probability Descriptors
45© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sample Impact Descriptors
46© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Second Sample
47© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simple risk model enables comparisons between risks and against tolerances.
Building a Simple Risk Model
Risk Impact
Risk Probability
48© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• What is the tolerable level of risk (or variability) in order to reach an objective?
• Adjusted based on context, level of risk, or overall risk appetite.
Risk Tolerance Drives Decision Making
49© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“Simple value at risk” model using numerical criteria.
Multiple options to fine tune model.
Enhancing the Risk ModelRisk = Impact * Probability
Risk Impact
Risk Probability
50© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Quantitative Risk Modeling Example
51© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Building a Risk Taxonomy for Impact
Exercise
52© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Is this your IT Risk Management?
Final Pause
53© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Strong Foundation for IT Risk Management including:
• Strategic Process
• Right Decisions by Right People
• Scoping and Aggregation Framework
• Common Taxonomy and Model
Help build a risk culture and build a transformative IT risk program
Summary
54© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Customer confidencemaintained, IP protected
Business results morereliable
Capital released for investment
Business responsivenessincreased
Business goals attainedmore frequently
IT Risk is Transformative
IT security risksmanaged
IT stability risksmanaged
IT efficiency risksmanaged
IT agility risksmanaged
IT alignment risksmanaged IT as a
differentiator, delivering
competitive advantage and
driving significant
business value.
55© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Gary AltersonDirector, Risk and Advisory Services, [email protected]
Thank You!
56© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Reduce IT Risk Through Improved Management and Planning