We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byRyan Reilly
Modified over 3 years ago
Webb Watch Corporation © 2010 Managing Risk UMANT Presentation Presenters: Calvin Webb III Michael Di Paolo April 23, 2010
Webb Watch Corporation © 2010 Todays Agenda Risk (10-15 minutes) –What is it? –Why is it important? –Common Terminology Information Technology Risk (20-25 minutes) Questions (10 minutes) 2
Webb Watch Corporation © 2010 Risk – What is it/how to address it? Definition Scenarios – What is the risk and plan to address the risk? –Skydiving –Driving –Living in a house 3
Webb Watch Corporation © 2010 Risk Common Terminology Enterprise Risk Management (ERM) –Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. 1 1 Committee of Sponsoring Organizations, Enterprise Risk Management – Integrated Framework, www.coso.org 4
Webb Watch Corporation © 2010 COSO ERM Framework Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management – Integrated Framework, (Jersey City, New Jersey: AICPA, 2004),
Webb Watch Corporation © 2010 Risk – Why is it important? Liberty losing millions in sales to other areas - Dayton News Victoria: downturn in economy good news for public library San Benito: city supervisor charged with theft saying he used city money to pay for repairs to his 1986 silver Camaro Kerrville: voters weigh possibility of spouses on council South Carolina: city manager search tainted by illegal meetings Austin: Cap Metro approves resolution to pay $51-million in debt to city out of projected sales taxes by 2019 More Delays: New Ash Cloud Heads Towards UK
Webb Watch Corporation © 2010 Webb Watch Corporation Business Risk Navigation Model Brand Institutional Knowledge Complexity Environmental Responsibility (Green) Reputation Brand Institutional Knowledge Complexity Environmental Responsibility (Green) Reputation Business Interruption/ Disaster Recovery Customer / Government Interface Legal & Regulatory Compliance Concentration Intergovernmental Maximization Fraud / Criminal Event Asset Management Human Resources Health & Safety Marketing & Sales Internal Controls Construction Management Public Relations Service Consolidation Supply Chain Risk Mitigation Efficiency & Effectiveness Process Execution Policies & Procedures Contract Management Taxation IT Governance / Strategy FINANCIAL Accounting Information Commodity Pricing Credit Availability Liquidity External Reporting Investor Confidence PEOPLE Workforce Management Performance Management Management Competency Training & Development Operational Knowledge & Documentation Benefit Management Pension Management Organizational Change Readiness Citizen / Customer Satisfaction Facility, Equipment Security Outsourcing & Partnering Product Development & Service Innovation Capacity & Capability Management Strategy Design, Information & Execution Competitor Customer Wants Economy Laws & Regulations Global Financial Markets Political Catastrophic Loss Terrorism / Violent Acts Technological Innovation EXTERNAL SUPPORT LEADERSHIP Budget & Resource Allocation Business Model / Sustainability Ethics / Integrity Governing Body & Executive Operating & Organizational Culture Organization Design Transparency Strategy Succession Planning Tone at the Top Communication OPERATIONS Technology Infrastructure Integrity Security Relevance Availability Access INTANGIBLE EXECUTION OngoingEvent INFORMATION 7
Webb Watch Corporation © 2010 Brand Institutional Knowledge Complexity Environmental Responsibility (Green) Reputation Brand Institutional Knowledge Complexity Environmental Responsibility (Green) Reputation Competitor Customer Wants Economy Laws & Regulations Global Financial Markets Political Catastrophic Loss Terrorism / Violent Acts Technological Innovation EXTERNAL INTANGIBLE Ongoing Event EXTERNAL SUPPORT INTANGIBLE EXECUTION Webb Watch Corporation Business Risk Navigation Model 8
Webb Watch Corporation © 2010 EXTERNAL SUPPORT INTANGIBLE EXECUTION Webb Watch Corporation Business Risk Navigation Model FINANCIAL Accounting Information Commodity Pricing Credit Availability Liquidity External Reporting Investor Confidence PEOPLE Workforce Management Performance Management Management Competency Training & Development Operational Knowledge & Documentation Benefit Management Pension Management LEADERSHIP Budget & Resource Allocation Business Model / Sustainability Ethics / Integrity Governing Body & Executive Operating & Organizational Culture Organization Design Transparency Strategy Succession Planning Tone at the Top Communication Technology Infrastructure Integrity Security Relevance Availability Access EXECUTION INFORMATION 9
Webb Watch Corporation © 2010 EXTERNAL SUPPORT INTANGIBLE EXECUTION Webb Watch Corporation Business Risk Navigation Model EXECUTION Business Interruption/ Disaster Recovery Customer / Government Interface Legal & Regulatory Compliance Concentration Intergovernmental Maximization Fraud / Criminal Event Asset Management Human Resources Health & Safety Marketing & Sales Internal Controls Construction Management Public Relations Service Consolidation Supply Chain Risk Mitigation Efficiency & Effectiveness Process Execution Policies & Procedures Contract Management Taxation IT Governance / Strategy OPERATIONS 10
Webb Watch Corporation © 2010 EXTERNAL SUPPORT INTANGIBLE EXECUTION SUPPORT Organizational Change Readiness Citizen / Customer Satisfaction Facility, Equipment Security Outsourcing & Partnering Product Development & Service Innovation Capacity & Capability Management Strategy Design, Information & Execution Webb Watch Corporation Business Risk Navigation Model 11
Webb Watch Corporation © Risks with Technology Risks are inherent in normal, everyday local government work practices. You try mightily to eliminate financial and other risk through all sorts of controls, review cycles, and approval processes. Many of these rely on technology systems. In the end, people dont always to what is expected, emergencies void normal controls, people quit leaving gaps in process knowledge, technology systems fail, unforeseen events occur, and so forth. In todays world, all local government work practices rely on technology. And, technology is far from foolproof!
Webb Watch Corporation © Information Security Only 20% of security breaches are attacks from outside! About 80% of all reported security breaches occur from within the corporate network and are made by employees. Have you ever even thought about or tried to manage technology risks in any meaningful way? Is technology security the domain of the IT Director in your organization? If so, that leaves a lot to be desired in the way of risk management. If employees cause most breaches, how can an IT Director manage security effectively?
Webb Watch Corporation © 2010 Controlling Risk from the Outside The IT Director can manage most, but not all, security to prevent successful attacks from the outside. Multiple layers of security (think of it just like multiple layers of clothing keep you warm in the winter). The best security systems are useless if not managed well. 14 Border FirewallsStrong passwords DMZPatch management Intrusion Detection SystemsWeb or Application firewalls Intrusion Prevention SystemsData encryption Anti-virusSpam scanning
Webb Watch Corporation © 2010 Breaking In Ive led teams that have broken into a fairly large bank. Banks have rigorous federal security requirements. First, Id try a frontal assault on your network defenses. Use of tools to scan and infiltrate your network from the Internet. If a frontal assault on your security defenses doesnt yield results, I would shift to a flanking strategy – attack you from an angle you didnt expect it. Failing that, Id move on to social engineering; it almost never fails, because I enlist your employees to help me! 15
Webb Watch Corporation © 2010 Damage from Security Breaches What could I do to your financial systems, or any systems for that matter, if I got inside your internal network? Financials, Procurement, HR/Payroll. Other systems (Police, Code, Court, etc.) Theft of Personally Identifiable Information (PII) – Identify theft is rampant affecting over 5 million people. Cause you loss of data, corrupted data, inability to use your systems or know if data was or was not correct. Reputation, loss of credibility, front page in the newspapers and on the nightly news. 16 In March 2007, hackers stole 45.7 Million credit and debit cards of TJ Maxx customers!
Webb Watch Corporation © 2010 Problems Managing Risk from the Inside Financial controls Financial systems security User provisioning/de-provisioning (access controls) Employee education, employee education, employee education (Phishing attacks, data leakage). Management education (why do I care?) IT education (they dont know it all!) Technology security systems Good security practices Regular testing of various aspects of your security. 17
Webb Watch Corporation © 2010 Why Should Anybody Care? We become ever more fragile organizations as we deploy more and more technology to operate our governments. We seem to think that security is something that IT can do alone; they cant. We de-emphasize the risks inherent in our operations leaving ourselves open to disruption, financial loss, reputational loss, extra scrutiny, extra cost, and dismissal. Because it is simply good business to care about the information for which you are responsible. Because everyone, citizens and vendors, expect us to take prudent precautions with our information.
Webb Watch Corporation © 2010 Questions?
Outsourcing Business Processes ( without In-sourcing the Associated Risks) Gregg Anderson – Crowe Horwath (risk manager) Doug Tripp – Crowe Dunlevy (outsourced.
© 2000 Arthur Andersen All rights reserved. Audit Committee Presentation Annual Audit Plan Manufacturing Company March 200X.
1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT.
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
EMS Checklist (ISO model) EPA Regions 9 & 10 and The Federal Network for Sustainability 2005.
By: Abdiansyah Prahasto 2013 COSO Internal Control Integrated Framework.
Post Award MUHAS, Dartmouth, UCSF Basics of Internal Controls Tuesday October 21, 2014.
Dolly Dhamodiwala CEO, Business Beacon Management Consultants.
Chapter 4 Internal Controls Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Performing Governance Assessments Myrk Harkins CIA, CBM.
CYBER SECURITY & ITS IMPACT ON FINANCIAL STATEMENTS AUDITS BOB WAGNER TUESDAY, NOVEMBER FLORIDA SCHOOL FINANCE OFFICERS ASSOCIATION CONFERENCE.
Auditing Governance Functions. Page 2 Agenda ► Defining Corporate Governance ► Internal Audit’s Role in Corporate Governance ► Areas of Audit Focus ►
0 May 2013 Internal Control–Integrated Framework.
3rd meeting COTS team April 25, 2007, Helsinki. AGENDA 9.00Opening of meeting 9.05Approval of agenda, minutes, Goal setting 9.15Feedback on the specific.
1 NameMatrix Number Francis YeeHT036029M George Goh Alex LimHT052467E Hoe Swee SimHT052560I Vijay.
Introduction to Enterprise Risk Management (ERM) John P. Behringer McGladrey (Slides Provided by Rebecca Towne, Director, McGladrey)
Vision: A strong and capable civil society, cooperating and responsive to Cambodias development challenges 1.
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
A © 2001 Arthur Andersen. All rights reserved. The Accountants Role in the New Economy Robert A. Johnson February 5, 2001.
Slide 1 of 20 TACTICAL/OPERATIONAL PLANNING Title: Tactical/Operational Planning –Tactical Planning –Operational Planning –Case Study.
Stephen Vink Senior Vice President Group Risk Management and Internal Audit Lessons learned from ERM.
BOARD FIDUCIARY RESPONSIBILITY – Understanding Oversight and Monitoring Roles Presented by: Dan Campbell, Partner.
Chapter 10 Accounting Information Systems and Internal Controls Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
Introduction to Internal Control Systems Introduction Internal Control Systems Definition Framework Preventive, Detective, and Corrective Controls.
CAS Spring Meeting June 2007 Introduction to ERM …The Measurements, Quadrants, Tools, and Solutions Prof. Mark C. Vonnahme Fox Family Clinical Professor.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Internal Audit Role in Order to Develop an Ethical Corporate Culture as a Competitiveness Factor A.I.I.A. - Internal Auditing body Università degli Studi.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
© Prentice Hall CHAPTER 15 Managing the IS Function.
Managing Uncertainty, Creating Opportunity Enterprise Risk Management J. Brown, CEO.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 4 – 1 Transaction Processing and the Internal Control.
Internal Control and Control Self-Assessment Modern Tools for Modern Times.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
Tom Lenart & John Field CT DEMHS Region 2. Department of Emergency Services and Public Protection (DESPP) Commission on Fire Prevention and Control.
1 Fraud Risk Assessment Chapter Describe the factors that influence an organization’s vulnerability to fraud. Explain the difference between preventive.
The Role of the CRO in ERM Networking Evening Colin Ledlie 12/05/08.
Internal Control Integrated Framework An Overview.. Prepared by Wael F. Bibi,JCPA,CPA,CIA Bibi Consulting,Inc. COSOs Source: COSOs.
ERM 101 Lisanne Sison Director ERM Bickmore. What is ERM? Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO)
Combating Fraud Risk in Payment Systems. 2 Defining Fraud..a deliberate act of omission or commission by any person, carried out in the course of a banking.
The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.
Got Internal Controls? presented by South Texas College Business Office “Count on Satisfaction”
The Connection between Risk Management and Internal Control in Organizations Mag. Norbert Wagner Budapest,
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Systems Security Engineering An Updated Paradigm INCOSE Enchantment Chapter November 8, 2006 John W. Wirsbinski.
County Fiscal Affairs Session – County CAP’s September 18, 2014 Gerry Seneski, Chief Financial Officer, The County of Cumberland Dave Miller, Chief Financial.
STATE OF NEW YORK OFFICE OF THE STATE COMPTROLLER New York State Office of the State Comptroller Thomas P. DiNapoli, Comptroller Office of Operations John.
A Framework for Control COSOs five components of internal control and questions too important to ignore.
© 2017 SlidePlayer.com Inc. All rights reserved.