……..each new wave of technology will make obsolete existing information security measures - increasing security exposures in new and legacy environments Gartner
226,874,657 records containing sensitive personal information involved in security breaches in the U.S. since January, 2005 Privacy Rights Clearing House www.privacyrights.org Updated through May 4, 2008
2007 marked a significant change for information security incidents occurring at colleges and universities around the world as reported in the news A sample of the information in the Educational Security Incidents (ESI) Year in Review - 2007: Total Number of Incidents: 139 67.5% increase over 2006 Total Number of Institutions Affected: 112 72.3% increase over 2006 The ESI Year in Review - 2007 By Adam Dodge - Posted on February 10th, 2008
Reactive Response to an event IT Driven Based on assessments of vulnerabilities Generally NOT Pro-Active Focused on Resilience Cross-Functional Built upon a comprehensive Risk Assessment
Disasters Regulatory actions *Forrester These forces are leading to an increase in the need for a comprehensive view of enterprise-wide risks and the emergence of a new role – the Chief Risk Officer.
Traditional - Focus on business line processes, internal controls Enterprise-wide Coordination - CRO, Audit, General Counsel or cross-functional team develops a common direction for Governance, Risk and Compliance (GRC) Move to Increased Monitoring and Reporting Analysis - Collection and evaluation of data helps determine the impact and likelihood of risk events Aggregation and Integration - Full integration into cross-functional processes and technologies …many business experts believe that the concept of a cross-functional convergence of these activities (Governance, Risk and Compliance) represents a progressive approach in this area, and is quickly replacing the traditional fragmented or silo mentality. The Corporate Defense Continuum, Risk and Compliance, Sean Lyons, 1/23/2007 Traditional Silo-based True Risk Resiliency Cross Functional Coordination Governance, Risk and Compliance Continuum
Often requires a culture change It is hard to distinguish ERM from old fashioned business management The approach that works for some companies may not work for others ERM models are about estimating the impact and likelihood of risk events The risk environment includes the behavior of people (difficult to predict) Each Risk being considered within an ERM model is often highly dependent upon context
……. protecting the complex, technology-dependent, globally focused organization today is still in the hands of organizational structures and methods that were developed before the commercial computer age – let alone the network age. ……….Given this and the silo development of operational risk functions, the compelling question organizations now need to ask is what constitutes good risk management? BRG. 2005 Weak or non-existent cross-functional risk processes Effective risk models and processes Some well developed processes with gaps Desired State Any organizations risk management strategy
Risk Issue Identification Governance and Organization Status Reporting Map to Process and Owner Action Plan Management Assessment/ Measurement Culture and Awareness Context is Critical
COSO = Committee of Sponsoring Organizations Risk Management Framework Risk Management Context Monitor and Report Risk Governance Awareness Communications Risk Identification Risk Evaluation Risk Analysis Risk Treatment Based on AS/NZS 4360: Australian/New Zealand Standard® Risk Management
Collaborate on strategy Cross functional input from legal, audit, CRO, CFO, CSPO, risk owners Identify and classify relevant compliance requirements as they relate to: Strategic, Financial, Operational, Technology objectives Assess impact, assign confidence ranking Identify impact/likelihood of adverse events on corporate objectives Assess inherent risks of noncompliance Assess risks remaining after mitigations Plot risks on risk map Focus on areas with highest concerns Risks are not equally important Focus on those high and to the right Impact Likelihood High Focus Risks
Scenario Planning Consideration of events or outcomes that could reasonably occur - not necessarily based on historical data. Gathered through Brainstorming with what ifs. Involves environmental scanning, predictive analysis, cross-functional input from multiple sources. Creates circumstances to judge preparedness. Addresses impact and likelihood. Root Cause Analysis Root cause analysis helps identify what, how and why something happened, thus preventing recurrence. Root causes are underlying, are reasonably identifiable, can be controlled by management and allow for generation of recommendations. The process involves data collection, cause charting, root cause identification and recommendation generation and implementation. By directing corrective measures at root causes, it is hoped that the likelihood of problem recurrence will be minimized.
Every company tailors its ERM program based on its specific needs….. A common element is that day-to-day risk management decisions are made at every level in the organization. Any organization concerned with successfully operationalizing ERM must ensure that its people… Understand ERM concepts Understand how to carry out their responsibility….acting in accordance with any defined ERM principles.
Organizational culture Not linked to any unique sanction, reward or incentive Complexity of the ERM process itself Cost/benefit constraints Expertise Dynamic nature of managing risks Cross functional differences A successful CRO does not command from above. They set a framework for risk management, while day-to-day decisions on what is or isnt an acceptable risk falls to managers and employees in the frontline of business. Economist Intelligence Unit
Clarify objectives Communicate (top down and bottom up) Include and involve in all aspects of ERM program Create performance metrics and expectations Factor in emotions
New Enemies Terrorists, professionals with different motivations, man-made and natural events Posing New Threats Real time, context aware activity, instantaneous, multiple sources, catastrophic impact Requiring New Solutions Moving from reactive to proactive Adaptive, responsive to context Based on risk assessment
Board and Executive Management Support Common risk language and concepts Communication about risk using appropriate channels Development of training programs for risk management Development of a knowledge-sharing system Built into performance expectations Identification of cross-functional "risk champions" Goal is to create a risk culture where people consciously take risk into consideration in decision-making at all levels of the organization