Risk Management for Small & Medium Sized Enterprises Doug Steele is a partner at Grant Thornton LLP leading the Risk Management practice in Vancouver. Doug has extensive experience in IT audit and security, helping organizations manage their risks. His client base includes companies in both the financial and public sector, for whom he has performed comprehensive risk assessments, data integrity audits, computer conversion audits, penetration testing, post-implementation reviews, business process improvement projects and general computer control reviews. He has worked on numerous internal audit projects with several large credit unions. Doug is a Certified Information Systems Auditor, a member of the Institute of Chartered Accountants of British Columbia, and the former president of the Vancouver Chapter of the Information Systems and Control Association (ISACA). He is also a former co-chair of the Speakers Program for the West Coast Security Forum. Grant Thornton LLP Doug Steele, CA, CISA Partner, Technology Risk Management

Risk Definition: Potential of loss or failure from unforeseen events Lost opportunities or revenues Indicators: Changes in people or processes Multiple points of access Inability to monitor Evolving business & practices Dependency on systems Concentration or reach of business 2

Examples of Risks Criminal activities (fraud, robbery, vandalism) Environmental (biological, contamination) Loss of service (communication, power, water) Natural (earthquake, fire, flood, severe weather) Operational (system failure, human error) Organizational (strike, key personnel turnover) Political (civil disturbance, war) 3

Benefits of Risk Management Increased awareness of threats (early identification) Improved ability to respond to the unexpected Continuous improvement of products or services Enhanced ability to profit from new opportunities Improved management decision-making Higher probability of achieving objectives Enhanced stakeholder value More effective use of resources 4

Risk Management Structured Disciplined process Preventive measures Technology Internal controls Proactive measures Transferring risk Insurance Outsourcing Integrated with management processes Policies & procedures 5

Integrated Risk Management Aligns: Objectives (strategic, tactical, operational) Strategy (financial, reputation) Processes (operational, financial, compliance) People (culture, employees, community) Knowledge (internal, external) Technology (internal, outsourced) 6

Trends in Risk Management Movement: Pre-1980 Insurance 1980s Financial Risk Management 1990s Enterprise Risk Management Post-2000 Strategic Significance Focus now: Information security (anti-fraud, privacy) Disclosure / transparency (MI 52-109) Internal controls (MI 52-111, SOX) Business continuity planning 7

Integrated Risk Management Approach Adopt a methodology Identify potential risks & vulnerability Conduct a risk assessment Develop response strategies Develop risk management policy Monitor risk response effectiveness Update risk assessment continuously 8

Challenges for SMEs Finding the right balance of: Knowledgeable staff Experienced management Business infrastructure costs Technological infrastructure costs Consulting costs Competition from larger organizations Scarce resources (financial and other) 9

Practical Examples Successes Failures Lessons learned 10

Technology Solutions Automated internal controls Access (physical, network & application security) Edits (batch, balance, format, check digit) Validation Purchased software Fraud detection software Risk management & analysis software Continuous monitoring software Outsourcing (transferring the risk) Risk Analysis/Management Software (from Internal Auditor Magazine – Aug-05) 2005 Buyer’s Guide to Audit, Anti-Fraud & Assurance Software (www.auditsoftware.net/community/store) Aline (info@aline4sox.com) Audit Leverage Software (info@AuditLeverage.com) AutoAudit, Risk Navigator; The Paisley Solution (www.paisleyconsulting.com) Certus Governance Suite (www.certus.com) Confident Compliance; Continuous Compliance Suite (www.virsa.com) Decision Factor AEM (www.RuleSphere.com) Enterprise Risk Assessor (ERA); Pro Audit Advisor (www.methodware.com) eProcessManager (ePM) (www.eprocessmanager.com) Galileo; KnowledgeLeader (www.darcangelosoftwareservices.com) Operational Risk Management (ORM) Portal (www.protivi.com) Optial (www.optial.com) Pentana (www.pentana.com) Sharpe Decisions Executive Workshop (www.sharpedecisions.com) TeamRisk (www.pwc.com/teammate) 11

Other Solutions Good corporate governance (tone at the top) Internal audit activities External consulting services 12

Summary Know the risks Recognize the benefits Integrate risk management in the organization Accept, reject, transfer or mitigate risk Take advantage of technology Set the tone at the top Balance the costs Make risk management a continuous process 13

Thank you Questions? Doug Steele is a partner at Grant Thornton LLP leading the Risk Management practice in Vancouver. Doug has extensive experience in IT audit and security, helping organizations manage their risks. His client base includes companies in both the financial and public sector, for whom he has performed comprehensive risk assessments, data integrity audits, computer conversion audits, penetration testing, post-implementation reviews, business process improvement projects and general computer control reviews. He has worked on numerous internal audit projects with several large credit unions. Doug is a Certified Information Systems Auditor, a member of the Institute of Chartered Accountants of British Columbia, and the former president of the Vancouver Chapter of the Information Systems and Control Association (ISACA). He is also a former co-chair of the Speakers Program for the West Coast Security Forum.