Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

pptx

Risk Management
What Works
The Main Event 2nd Annual GRC Symposium
May 16, 2012
Brookfield, Wisconsin.
Mark T. Chapman, CISSP, CISM, CRISC
Chapman Technology Group, Inc.
www.PhishLine.com
mchapman @ phishline.com
Copyright © 2012, Chapman Technology Group, Inc. All Rights Reserved.
In theory, Risk Management should be
easy. Identify critical assets, consider potential
risks, evaluate mitigating factors, measure results,
take action, and repeat.
In practice, many organizations struggle with the
basic terms and concepts. For those who master
the concepts, the “exponentially increasing
complexity” of risk management efforts can quickly
overwhelm organizations of every size.
Risk Assessment for a
Television Interview
I primarily didn’t want to:
• Look like an idiot.
• Get sued for saying or doing
anything dumb.
Secondarily, I didn’t want to
• Be rushed to get there or be late.
Preemptive Mitigation for a
Television Interview
•
•
•
•
•
•
Extra suit in the car.
Extra laptop.
Charge cellphone and laptops.
Practice the demo.
Gas up the car the night before.
Leave the house early.
Unanticipated Risks for a
Television Interview
• Required Cell phone was
completely discharged 2
hours before the shooting.
• I almost tripped on a lighting
cable in the studio.
Damage Assessment for a
Television Interview
Financial Loss:
While shooting the in-thefield portion of the story,
I got a parking ticket !
Threat Source
Risk Area
Strategic Harm
Reputation Damage
Technical Breaches
Compliance Failure
Confidentiality
Integrity
Availability
Liability
Policy
Financial Loss
Category
Threat Source
Risk Area
Strategic Harm
Reputation Damage
Technical Breaches
Compliance Failures
Confidentiality
Integrity
Availability
Liability
Policy
Financial Loss
Category
Threat Source
Category
Risk Area
Threat Source
Category
Risk Area
Reputation Damage
Threat Source
Category
Risk Area
Reputation Damage
Threat Source
Category
Reputation Damage
Liability
Risk Area
Threat Source
Category
Reputation Damage
Liability
Risk Area
Threat Source
Category
Reputation Damage
(Reputation Damage, Employees  5)
Liability
Risk Area
Threat Source
Category
Reputation Damage
(Reputation Damage, Employees  5)
Liability
Risk Area
(Reputation Damage, Liability  3)
(Employees, Liability  1)
Threat Source
Category
Reputation Damage
(Reputation Damage, Employees  5)
Liability
Risk Area
(Reputation Damage, Liability  3)
(Employees, Liability  1)
Threat Source
Category
Reputation Damage
(Reputation Damage, Employees  5)
Liability
Risk Area
(Reputation Damage, Liability  3)
(Employees, Liability  1)
Threat Source
Liability
Category
Risk Area
Reputation Damage
(Reputation Damage, Liability  3)
This “Cublet” is a specific
Risk Area, Threat Source, and Category.
The score is computed by the
Projected values.
(Reputation Damage, Employees  5)
Score(Reputation Damage, Employees, Liability) =
Function(1, 3, 5)
Did the “formal process” help?
• Preemptive Mitigation?
• Unanticipated Risks?
• Damage Assessment?
• Why or Why Not?
What Works!
•
•
•
•
People manage risk ALL THE TIME.
Companies manage risks ALL THE TIME.
It should feel natural, logical,
And, Risk Management should ALWAYS
pass the “Common Sense” test.
High-Level Approach – PUSH
•
•
•
•
Preparation
Universe Definition
Scoring
Hitting the Mark
PUSH Approach was first
presented to the FFIEC
Information Technology
Conference by Mark
Chapman in 2007.
Preparation
•
•
•
•
•
Earn Management Buy-In
Decide to In-Source or Outsource
Anticipate the Benefits
Identify the Specific Purpose
Evaluate Automation Options
Earn Management Buy-In
Motivators:
• Compliance / Fear
• Means to justify other
initiatives
• New Management Eager to
Learn
• “True Believers”
Results:
1. Go through the motions
2. Do it right
Challenges:
• “It costs money”
• “I already know the risks
better than anyone”
• “We have more important
things to do”
In-Source or Outsource?
• Current Capability
– Do we have the capability or can we train in-house?
– Can we identify a firm with independent,
knowledgeable and sufficient resources?
• Future Capability
– Turnover of trained employees
– Dependence on consultants
Anticipated Benefits
•
•
•
•
•
To learn something new
To validate or quantify a concern
To standardize communication of risk
To establish common language and tools
To satisfy the auditors
Specific Purpose
•
•
•
•
•
•
•
•
Audit Planning
Budgeting
Compliance
Disaster Recovery
Policy Writing
Risk Management
Remediation
Vendor Selection
Hint:
You must understand
the specific purpose of
the risk management
project
Automation
• Paper
• Excel / Word
• Specialized Software
High-Level Approach - PUSH™
•
•
•
•
Preparation
Universe Definition
Scoring
Hitting the Mark
Universe Definition
• Goal:
– To Define an Appropriate Universe for the
Size and Complexity of the Institution
• Choose the Number of “Dimensions”
– Assets, Risks, Controls
• For Each Dimension
– Define Scope, Granularity, Level of Detail
– Populate the Universe
Risk Assessment Math
It seems Easy!
• Assets
– “Valuables” which must be protected
• Risks
– “Bad things” that could happen to “Valuables”
• Controls
– “Mitigating Factors” to limit impact of “Bad Things”
Why is it so Difficult to Implement?
• 50 Assets X 50 Risks X 50 Controls = 125,000 Combinations!
• 600 Assets X 70 Risks = 42,000 Combinations before we get to
controls!
Copyright © 2005-2008, Chapman Technology Group,
Inc. All Rights Reserved.
Risk Management Universe
Assets
Controls
3-Dimensions*
•Assets
•Risks
•Controls
* Technically, there is a fourth dimension,
Instead of “Time” it is “Testing” which gets into
Risk Monitoring.
Copyright © 2005-2008, Chapman Technology Group,
Inc. All Rights Reserved.
2-Dimensional Example
How Many Dimensions?
Scope
Business Impact Analysis
Inherent Risk Assessment
Risk-Based Audit Plan
Disaster Recovery Plan
Risk-Based Audit
Assets Risks Controls
Asset Universe
Scope
Business Functions
Fixed-Assets
Strategies
Brands
Contracts
Cash
Intellectual Property
Products
People
Granularity
Detail
How many levels of
assets do we want to
consider?
How much information
do we want to
understand for each
asset?
Buildings
Rooms
Individual Bricks
Asset Type
Asset Owner
Importance
Dependencies
Assets - Level of Detail
Determine the attributes to characterize assets.
Hint: Keep the list small and add as needed.
Assets – Documentation*
Take the opportunity to centralize asset documentation:
• Pictures, Diagrams, Schematics, Building Plans
• Policies, Procedures
• Contracts, Licenses, Vendor Data
• Phone #’s, Key Contacts, Password Escrow
*Do the same thing for Risks and Controls
Example #1: Keep pictures of fire suppression, power and other critical infrastructure
Example #2: Attach pictures of bad check writers
Risk Universe
Scope
Power Outage
Pandemics
Water Damage
Fraud
Computer Hacking
Employee Turnover
Tampering
Granularity
Detail
How many levels of
risks do we want to
consider?
How much information
do we want to
understand for each
risk?
City-Wide Blackout
Accidental Power
Disconnect
Mouse Chews
Through Power Cord
Risk Type
Threat Source
Likelihood
Impact
Risks - Level of Detail
Determine the attributes to characterize risks.
Hint: Keep the list small and add as needed.
Controls Universe
Scope
Financial
Physical
Technological
Reputation
Legal
Insurance
Granularity
Detail
How many levels of
controls do we want to
consider?
How much information
do we want to
understand for each
control?
Use a Framework
Individual “Bricks”
Control Owner
Effectiveness
Compliance Info
Assessment Criteria
Controls - Level of Detail
Determine the attributes to characterize controls.
Hint: Keep the list small and add as needed.
High-Level Approach - PUSH™
•
•
•
•
Preparation
Universe Definition
Scoring
Hitting the Mark
Scoring
•
•
•
•
•
Choose Scale
Normalize
Prioritize and Trim
Associate
Adjust Compound Scores
Choose Scale
Define a consistent scale.
•
•
Numeric (1-5), (0.0-1.0), (1-3), (0%-100%)
Descriptive (Low, Med, High), (Nice-To-Have, Normal, Critical)
Normalize
Set the Relative Importance of:
• Risks with respect to other Risks
• Assets to other Assets
• Controls to other Controls
Prioritize and Trim
Goal:
To combat the natural exponential growth of
assessment efforts by reducing the number of lowpriority assets, risks and controls.
Approach:
Select a threshold for exclusion from further risk
assessment efforts while documenting decision.
Retain all excluded data to accommodate priority
changes and to reduce duplicate analysis next time.
Associate
1. Be Selective
2. Use Common Sense
3. Document Reasons for Exceptions
Adjust Compound Scores
Use Initial Scores with Few Documented Exceptions.
High-Level Approach - PUSH™
•
•
•
•
Preparation
Universe Definition
Scoring
Hitting the Mark
Hitting the Mark
•
•
•
•
Evaluate Intended Specific Purpose
Write the “Final Report”
Track Actions Over Time
Evaluate Project Effectiveness
Intended Specific Purpose
The Risk Management can only “Hit the Mark” if it
serves a purpose:
–
–
–
–
–
–
–
–
Audit Planning
Budgeting
Compliance
Disaster Planning
Policy Writing
Risk Management
Remediation
Vendor Selection
Inventory Assets
Characterize Assets
Advance Important Items
Identify Raw Risks
Consider Mitigating Factors
Calculate Residual Risk Exposure
Advance Areas of Higher Risk
Create Audit Plan
Create Audit Program
Write the “Final Report”
•
Do not
– Put too much emphasis on the final deliverable
– Think “bigger is better”
•
Do focus on
–
–
–
–
Process used (brief)
Discoveries
Trends
Actions (proposed, planned or completed)
Manage Observations/Findings
Copyright © 2005-2007, Chapman Technology Group,
Inc. All Rights Reserved.
Manage Observations/Findings
Copyright © 2005-2007, Chapman Technology Group,
Inc. All Rights Reserved.
Evaluate Effectiveness
• What did you learn through the process?
• What unexpected benefits did you realize?
• How did you keep the process from getting too
detailed or out of control?
• How can you improve the process next time?
• These charts look scientific and absolute how did you handle the inherent subjectivity?
• Did you achieve your objectives?
Additional Consideration
•
•
•
•
•
•
•
Risk Tolerance
Trending
Monitoring
Disaster Recovery Planning
Monte Carlo Simulations
Surveys
Testing
Conclusion - PUSH™
•
•
•
•
Preparation
Universe Definition
Scoring
Hitting the Mark
What Works!
1. Identify what you want to protect (Assets).
What bad things could happen (Risks).
Mitigating Factors (Controls).
2. Look at what has changed since last
assessment. (Business/Technical Changes,
Audit Findings, Incidents, Remediation
Activities, Regulatory Changes.)
3. Communicate.
What Works!
•
•
•
•
People manage risk ALL THE TIME.
Companies manage risks ALL THE TIME.
It should feel natural, logical,
And, Risk Management should ALWAYS
pass the “Common Sense” test.
Risk Assessment for a
Presentation to ISACA
I didn’t want to…
• Look like an idiot.
• Go over/under time too much.
Questions?
mchapman @ phishline.com
262.546.1867 ext. 7010
Thank You!
mchapman @ phishline.com
262.546.1867 ext. 7010
Related documents
Start with a discussion of Risk - West Virginia Higher Education
Start with a discussion of Risk - West Virginia Higher Education
Click to add title
Click to add title
online reputation management ppt
online reputation management ppt
Business Cases
Business Cases
Character
Character
The Importance of Limited Liability
The Importance of Limited Liability
Make Your Students Internet
Make Your Students Internet
Social Media 2.0
Social Media 2.0
1. Why is good customer service important?
1. Why is good customer service important?
Download