Building a Corporate Risk Culture Shane Troyer, CPA, CIA, CFE, CISSP Principal Operational Advisory Joost Houwen, CISA, CISSP, PCI QSA Western Canada Practice Leader IT Security

Agenda Fundamentals of Enterprise Risk Management Criteria of a Strong Risk Culture Practical ERM process Project Risk Management - Examples Summary and Question Period 2

What is risk management “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework,

What it really means Risk exists with all organizations and is an inevitable by–product of “doing business”. Successful businesses take prudent risks Some degree of risk is unavoidable and acceptable If not properly identified and managed, risk can threaten, maybe prevent the achievement of goals and objectives 4

ERM framework 5

Some key benefits Greater efficiency of operations and profitability More effective processes Improved decision making, especially with respect to setting corporate strategy Improved corporate governance Reduced risk exposure in key areas Better understanding of risk/reward or risk/opportunity 6

How to ensure your ERM program will fail Communicate the value of ERM in complex and difficult to understand terms Define risk differently within different departments and divisions Implement the program without top-level support Try to manage all risk on an ongoing basis Consider only net risk rather than gross (inherent) Ignore the need for a strong risk culture 7

Project management risks examples Information Technology Information technology (IT) projects both large and small remain a challenge to deliver successfully Larger projects tend to have a greater likelihood of failure or at least significant scope/cost ‘creep’ Typical risks associated with IT projects include: –Project management related risks (e.g. budget, schedule, staff) –User impact (e.g. lack of training) –Data loss (e.g. vendor/system unreliability) Often root causes tend to relate from lack of governance and unclear business outcomes 8

Project management risks examples Construction Controls Construction related projects are typically away from daily view, such as remote sites, but involve many individuals and third parties Some examples of construction project related risks are: –Safety and environmental risks –Cost management and inefficiency risks –Potential of fraud from internal parties or third parties –Project related risks (e.g. budget, schedule, staff) 9

Criteria of a strong risk culture "individual and group behavior within an organization that determines the way the company identifies, understands, discusses and acts on the risks" Owned by company leadership (action and words) Well defined and understood risk appetite Roles and responsibilities defined in context of risk A supported focus on risk appropriate decision making (process over results) Risk mitigation applied timely and consistently Formal documentation and reporting of risk activity Clearly understood approach to risk management 10

Conclusion Questions? Thank you 11 Shane Troyer, CPA, CIA, CFE, CISSP Principal Operational Advisory Joost Houwen, CISA, CISSP, PCI QSA Western Canada Practice Leader IT Security