Presented by Scott Perry - Slalom Consulting Introductions Session - - PowerPoint PPT Presentation

presented by scott perry slalom consulting introductions
SMART_READER_LITE
LIVE PREVIEW

Presented by Scott Perry - Slalom Consulting Introductions Session - - PowerPoint PPT Presentation

Nov 23, 2022 325 likes •709 views

San Francisco Chapter Presented by Scott Perry - Slalom Consulting Introductions Session Objectives Overview of Enterprise Risk Management The Role Of IT IT Governance Model IT Risk Assessment How IT Auditors Add Value

slide-1
SLIDE 1

San Francisco Chapter

Presented by Scott Perry - Slalom Consulting

slide-2
SLIDE 2

San Francisco Chapter

 Introductions  Session Objectives  Overview of Enterprise Risk Management  The Role Of IT  IT Governance Model  IT Risk Assessment  How IT Auditors Add Value  Key Summary Points  Q&A

slide-3
SLIDE 3

San Francisco Chapter

slide-4
SLIDE 4

San Francisco Chapter

 Provide an overview and historical context

for Enterprise Risk Management ( ERM )

 Discuss the changing risk landscape and

how ERM is evolving in companies today

 IT and its emerging role in ERM  How IT Auditors can add value in the ERM

process

slide-5
SLIDE 5

San Francisco Chapter

Compliance Risk Environmental Risk Litigation Risk Reputation Risk Financial Reporting Risk Credit Risk Inherent Risk Control Risk Liquidity Risk Availability Risk Going Concern Risk Health & Safety Risk Ethics Risk Mergers & Acquisition Risk Capacity Risk Supplier Risk Personnel Risk Systems Performance Risk Control Risk Capital Market Risk Government Risk Natural Disaster Risk Economic Risk Data Integrity Risk

What kinds of Risks does your Company Face?

slide-6
SLIDE 6

San Francisco Chapter

  • Protect P&L, balance sheet from surprises
  • Meet compliance/fiduciary responsibility
  • Prevent accidents, crisis
  • Risk planning in business strategy
  • Achieving traditional risk best practice status
  • Brand/reputation risk focus
  • Integration into corporate governance

Compliance & Prevention Operating Performance Shareholder Value Enhancement

  • ERM as competitive tool
  • Societal focus
slide-7
SLIDE 7

San Francisco Chapter

There are several options that management may consider to address risks:

 Acceptance  Avoidance  Mitigation  Reduction  Sharing

slide-8
SLIDE 8

San Francisco Chapter

Source – Open Compliance and Ethics Group

slide-9
SLIDE 9

San Francisco Chapter

Source – Open Compliance and Ethics Group

slide-10
SLIDE 10

San Francisco Chapter

Risk appetite is the degree of uncertainty a company is willing to accept to reach its goals.

Averse Moderate Aggressive

What is your Company’s Risk Appetite?

slide-11
SLIDE 11

San Francisco Chapter

From To Limited strategic influence Effective support of strategic and business planning Risk aversion Proactive risk management Silo effects and barriers Integrated, holistic approach Inconsistent risk reporting Concise and consolidated reporting Infrequent risk assessment Continuous risk assessment & reevaluation Ambiguous ownership for certain types of risk Risk ownership assigned in management business and evaluation plans Closed communication Open communication Lack of clear definitions of roles and responsibilities Risk management roles and responsibilities clearly defined and communicated

slide-12
SLIDE 12

San Francisco Chapter

 Better Understanding of Risk Posture  More Effective Risk Mitigation  Less Business Fear  Greater Corporate Support for Critical

Business Ventures

 Improved Corporate Governance

slide-13
SLIDE 13

San Francisco Chapter

 Investors are willing to pay a premium for

effective risk management

 Ratings agencies are increasing their focus

  • n risk management.

Source – Compliance Week

slide-14
SLIDE 14

San Francisco Chapter

  • 1. Define scope and objectives
  • 2. Identify boundaries and types of risks
  • 3. Perform an Enterprise Risk Assessment
  • 4. Bucket and prioritize risks
  • 5. Establish Risk Mitigation projects and

reduction programs

  • 6. Institute feedback mechanisms
  • 7. Optimize and refine
slide-15
SLIDE 15

San Francisco Chapter

 Get Executive management Buy-in  Establish the end state  Create a common taxonomy  Evangelize the concept throughout

the enterprise

 Take on only what you can achieve  Get both top-down and bottom-up

perspectives

 Get Objective Advice

slide-16
SLIDE 16

San Francisco Chapter

 Management Acceptance and

Ownership

 Treat ERM like a Mission Critical

Project

 Coordinate ERM for other Compliance

and Risk Mitigation Efforts

 Create a Central Repository for Risks  Link To Performance Measures

slide-17
SLIDE 17

San Francisco Chapter

Phase 1 Scoping & Initiation Phase 5 Monitoring/ Improvement Phase 4 Implementation Phase 3 Future State Design Phase 2 Current State Assessment

  • Scope project
  • Governance
  • Project Charter
  • Project and

communication plans

  • Surveys
  • Workshops
  • Interviews
  • Risk appetite

analysis

  • Risk

identification and analysis

  • Risk scoring
  • Deliverables
  • Deliverables
  • Deliverables
  • Migration

activities

  • Change

management

  • Implement

tools

  • Ongoing

assessments/ reporting

  • Continuous

improvement

  • Knowledge

transfer

  • Deliverables
  • Best

practices

  • Management

decisions

  • Update
  • rganization

model, processes & controls

  • Assign

accountability

  • Migration plan

Hand off to internal resources

slide-18
SLIDE 18

San Francisco Chapter

The IT risk focus is changing

Reactive Risk Ignorance Ad hoc approach Minimum compliance

Proactive Risk Awareness Formalized approach Value added improvement

slide-19
SLIDE 19

San Francisco Chapter Source Forrester Research

slide-20
SLIDE 20

San Francisco Chapter Source Forrester Research

slide-21
SLIDE 21

San Francisco Chapter

Yesterday – Reacting and Firefighting Today – Some are proactively managing IT risk and compliance Tomorrow - Risk central nervous system

slide-22
SLIDE 22

San Francisco Chapter

I n c r e a s e d l i a b i l i t y a n d r e g u l a t

  • r

y

  • v

e r s i g h t IT is a core components of

  • perational

risk Companies are formalizing IT risk and compliance There are many interdependent IT risks

slide-23
SLIDE 23

San Francisco Chapter

Huge adoption of IT governance, security and

  • perational frameworks

IT is leveraging:

 Better integration  Tools & Templates  Incentives

slide-24
SLIDE 24

San Francisco Chapter

Dashboards, scorecards and metrics allow for better IT performance and risk management

slide-25
SLIDE 25

San Francisco Chapter

 Give IT a prominent seat at the risk table  Appoint IT risk and compliance focal points  Develop an IT risk and compliance strategy  Develop IT measurements and feedback

mechanisms

slide-26
SLIDE 26

VPs DRMG CIO Policy & Standards Control Sustainment Executive Management Group Board of Directors

Audit Committee

Internal Audit

Internal Control Assessment Assessment Results Technology Requirements Issues Feedback Work Intake & Prioritization Technology Capabilities Values & Vision Investment Business Initiatives IT Organizational Boundary Business Drivers

Business Strategy

Relationship Mgmt

IT Strategy & Risk Assess

Strategic Plan

IT Operating Principles & Goals Control Sustainment PLAN BUILD RUN

Portfolio Management SDLC ITIL Strategy Initiatives

IT Governance Framework

Management Guidance Bus/IT Alignment Service Communication Performance Data Risks & Control Issues

Performance Metrics & Threats Vendor Management

Results Delivery

slide-27
SLIDE 27

 Consistent and Defensible  Tailored for progressive

implementation

 Aligns IT process with business

goals/objectives and regulatory requirements

 Educates Management and

executives to better manage risks associated with IT

slide-28
SLIDE 28

San Francisco Chapter

?

?

?

?

? ? ? ? ?

slide-29
SLIDE 29

San Francisco Chapter

The same way as enterprise risk IT should influence the strategic

  • pportunities and benefits identified by the

enterprise

slide-30
SLIDE 30

San Francisco Chapter

slide-31
SLIDE 31

San Francisco Chapter

Risk Attributes IT Resources

The IT Risk Assessment Dashboard graphically depicts how well inherent risks in IT Resources are controlled by the organization

slide-32
SLIDE 32

San Francisco Chapter

Low High Low

Impact to Business

High

Risk Mitigation Frequency

Med Med

Residual Risk

(Freq = 3 yrs) (Freq = 1 yr) (Freq = 2-3 yrs) (Freq = 2-3yrs) (Freq = 2 yrs) (Freq = 2 yrs) (Freq = 1-2 yrs) (Freq = 1 yr) (Freq = 1-2 yrs)

Security Perimeter Network IT Management Security Administration System Software Third Party Outsource Headquarters DRP/BRF SDLC Database Administration Change Management

slide-33
SLIDE 33

San Francisco Chapter

Be the In-house Expert on Risk

 Education on IT risk frameworks  Determine levels of process maturity  Leverage prioritization and continuous

process improvement

slide-34
SLIDE 34

San Francisco Chapter

 Taxonomy to bridge the business-

technology gap

 Control “rogue” IT activities

slide-35
SLIDE 35

San Francisco Chapter

 Critical success factors in any ERM effort:

 Clear ownership and accountability of risk  Realistic expectations of success of risk control

plans

 Ongoing communications, “governance”

processes to continually re rank risks, and identify new ones

 ERM is ultimately about changing culture

and behavior, driving decision making and measurable results

slide-36
SLIDE 36

San Francisco Chapter

slide-37
SLIDE 37

San Francisco Chapter