Risk Management & Control:
Art or Science?
Ross Palmer MIIA, FIIA, CISA, FBCS CITP
BCS SOCIETY DORSET BRANCH
Wednesday 5th March 2008
About Myself
• Been working for 41 years!
• Jobs:
 MSS - Reception & Claims Assessment Clerical Officer
 MPNI - National Insurance Inspector
 DHSS - Regional Directorate Operations Manager
 DSS – IT Services Agency (ITSA) Projects Manager
 Internal Auditor
 Computer Auditor
 Computer Audit Manager
• Government, banking and business services.
• Currently Computer Audit Manager for HRG (Hogg Robinson Group).
• Relevant qualifications:
 MIIA/FIIA - Member/Fellow of the Institute of Internal Auditors, UK & Ireland
 CISA - Certified Information Systems Auditor, ISACA
 FBCS CITP – Chartered Fellow of the British Computer Society
• Present Chair of the British Computer Society Information Risk Management &
Assurance (BCS IRMA) specialist group.
Why does risk management matter?
“Troubles add up at Nike”
Jeff Manning -- The Oregonian,
May 4, 1997
The Beaverton shoe giant faces slower sales growth, labor and wage controversies in
its foreign factories and an unnerving 27 percent drop in its stock price.
Portland -- After two years of ripping through the industry like a tornado in a trailer park, Nike
Inc. is suddenly losing momentum. Retailers large and small report consumer demand for
Nike products has levelled off and, in some cases, declined.
Retailers say a small but noticeable fraction of customers are avoiding the brand on
principle.
Alarmed by reports of labor abuses in Third World factories, some shoe consumers say they
want nothing to do with the dominant name in the industry.
"We've seen a slight drop-off in Nike sales," said Pat Sweeney, president of the Fleet Feet
store in Sacramento, Calif. "I think it's because of the bad publicity the company's been
getting on their labor policies."
Why does risk management matter?
Why does risk management matter?
Why does risk management matter?
• Severe flooding has affected principal cities across Europe
including Paris, Dresden, Prague and Gloucester
Why does risk management matter?
• Between 20 and 22 October, the
city of Manchester experienced 4
Organisations, especially those with modest margins,
earth tremors, one of which
naturally do not want to spend time and money on
reached 3.9 on the Richter scale –
something that will probably never happen ...
sufficient to knock bottles off
... until it happens!
shelves and cause the collapse of
chimneys on residences.
So, how do we make it easy for organisations to prepare
for adversity?
• The UK was also in the grip of an
extensive firefighter’s strike at
the time. Businesses
Answer:were
Riskwarned
Management and Control
to review their disaster recovery
plans.
What is a Risk?
The potential that a given threat will exploit vulnerabilities of an
asset or group of assets to cause loss or damage to those assets.
Guidelines for the Management of IT Security (International Standards
Organisation)
Something bad WILL happen
Something good WON’T happen
Examples of business risks
•
•
•
•
•
•
•
Financial
Operational
Reputational
Regulatory
Legal
Project
Health & Safety
Typical IT-related risks
•
•
•
•
•
•
•
•
Non-availability of systems and/or data (temporary/long-term) + loss of work
in progress at the time
Loss of key personnel (“single points of failure”)
Unauthorised, fraudulent or simply erroneous changes to data and programs,
leading to loss of data integrity (accuracy)
Theft of assets – tangible or electronic
Confidentiality of personal information compromised
Symbolic actions (e.g. website defacement) and reputation/media damage –
need to shut down service
Failure of a third-party supplier to deliver on its contract
Staff motivation/morale in reaction to adverse incidents
Risk Management and Control – Some Definitions (1)
• Risk Management: The selection of those risks a business should take
and those which should be avoided or mitigated, followed by action to
avoid or reduce (exposure to) risk.
• Risk Analysis: Identifying the most probable threats to an organisation and
analysing the related vulnerabilities of the organisation to these threats.
• Risk Assessment: Evaluation of existing physical, logical and
environmental controls and assessment of their adequacy/effectiveness
relative to the potential threats to the organisation.
• Business Impact Analysis: Identification of critical business functions and
determination of the impact on the organisation of not performing them
within acceptable tolerances.
• Inherent/Gross Risk: The level of perceived risk without the application of
dynamic influences (such as control procedures).
Risk Management and Control – Some Definitions (2)
• Residual/Net Risk: The level of perceived risk following the application of
dynamic influences (such as control procedures).
• Risk Appetite: The amount of risk, on a broad level, an entity is willing to
accept in pursuit of objectives.
• (Internal) Control: The policies, procedures, practices and organisational
structures, designed to provide reasonable assurance that business
objectives will be achieved and that undesired events will be prevented or
detected and corrected.
• Internal Audit: Internal auditing is an independent, objective assurance
and consulting activity designed to add value and improve an
organisation's operations.
• Corporate Governance: The leadership, organisational structures and
processes that ensure that the enterprise sustains and extends its
strategies and objectives.
Benefits of Formal Risk Management
 A clear understanding of risk can enhance decision making
 Exploit opportunities from a risk aware perspective
 Contain damage/loss and avoid surprises
 Effective direction and use of resources – look at real issues with less
time spent “fire fighting”
 Increased likelihood of achieving business objectives
 Provide assurance to the Board and third parties that risks are
managed to an acceptable level
 Stimulate inter-team communication and motivation
 Gives stakeholders greater confidence in our stewardship
 No more sleepless nights
Value-Added Risk Management
High
Managing
risk to add
value
Return
Exposed and
destroying value
Control to
minimise risk
Value
Low
Ignorant
“Brakes off - out of control”
Managing
Approach to risk
Obsessed
“Brakes on - going nowhere”
Traditional/New Vision Continuum
Historical/Traditional
The New Vision
 Assign duties/supervise staff
 Empowered/accountable
employees
 Policy/rule driven
 Continuous improvement
/learning culture
 Limited employee participation
 Extensive employee
participation and training
 Narrow stakeholder focus
 Broad stakeholder
focus/corporate governance
 Auditors and other specialists
are the primary control
analysts/reporters
 Staff at all levels, in all
functions, are the primary
control analysts/reporters
The Risk Management Process – in a nutshell
Identify risks
Analyse risks
Evaluate risks
Treat risks
Monitor and review
Communicate and consult
Establish the context
The Risk Management Process – 1. Establish the context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Monitor and review
Communicate and consult
Establish the context
1. Establish the Context - Categorisation of Risk
Environment
Design of the business
External
Change in the
parameters of
the sector
•
•
Change in the
environment
(general)
Internal
External events
specific
How business
is executed
How the
business
changes itself
Alliances
Management
and controls
structure
Service
delivery
alliances
Customer
alliances
Provides a common language for risk – helps avoid ambiguity
Helps identification of common risks and accumulations across divisions/processes/
geographical locations
Event
categories
1. Establish the Context – Risk Areas
External Risks
Internal Risks
Human resources
•
•
•
•
•
Environmental
•
•
•
•
Political/legal
Economic
Social
Technological
•
•
•
•
Operational
Sector
•
•
•
•
•
•
•
•
•
•
•
• Competitive rivalry
• New entrants
• Substitute
products/services
• Buyers
• Suppliers
Other external
factors/events
• Public image
• Shareholder
expectations
• Capital availability
• Hostile takeover
• Catastrophic loss
Recruitment
Performance evaluation
Skills and competencies
Training and development
Promotion practice/career planning/
succession
Compensation/performance
incentives
Retention
Discipline
Employee well-being and morale
Customer satisfaction
Quality
Product/service failure
Performance gap
Planning
Capacity
Sourcing
Brand name erosion
Winning/implementing new clients
Facilities
Health & Safety
How the business is
executed
Financial
•
•
•
•
•
•
•
•
•
•
Gearing
Liquidity/cash flow
Profitability
Budgeting and planning
Financial instruments
Pricing
Credit
Pension fund
Taxation
Regulatory reporting
Alliance Risks
Integrity
•
•
•
•
•
•
Fraud
Collusion
Illegal acts
Unauthorised use of assets
Theft
Ethics
Management information
•
•
•
•
•
Reliability
Relevance
Timeliness
Adequacy
Performance measurement/indicators
Information systems
Commercial & legal
• Establishing commercial contracts
• Interpretation and application of
legislation/regulations/contracts
• Directors and officers wrongful acts
• Professional liability
• Intellectual property
• Insurance
•
•
•
•
•
•
•
Data integrity
Completeness and accuracy of update
Logical security
Availability
Data protection
Information systems infrastructure
Systems specification, selection/
development & implementation
• Dependency on IT
How the business changes itself
Management and control structure
•
•
•
•
•
•
•
•
•
•
Strategy formulation/implementation
Product/service development & launch
Merger/acquisitions/disposals
Entering new markets
Programme/project management
Overexpansion
Leadership
Authority and responsibility
Communication
Organisational design
•
•
•
•
Organisational culture
Internal competition
Management review processes
Control failure
Service delivery
alliances
• Partner/supplier selection
• Ongoing relationship
management/communication
• Loss of intellectual property
• Loss of customers
• Supplier/partner failure
• Quality
• Cost
• Dependency on partner/
supplier
• Partner/supplier’s market
place
• Environmental risks
• Sector risks
Customer alliances
• Customer acceptance
• Ongoing relationship
management/communication
• Loss of intellectual property
• Customer systems/control
failure
• Dependency on one/a few
customers
• Customer’s market place
• Environmental risks
• Sector risks
The Risk Management Process – 2. Identify risks
Identify risks
Analyse risks
Evaluate risks
Treat risks
Monitor and review
Communicate and consult
Establish the context
2. Identify Risks – Business Impact Analysis
 A meeting or series of meetings of key stakeholders – the BUSINESS
 “What are the five things that keep you awake at night?”
 What will be the effect upon the BUSINESS of ...? e.g.
 Loss of an invoicing system for 2 hours/half a day/2 days, etc.
 Inability to access a business call centre due to toxic spill, crime scene, etc.
 Prioritisation of the impacts upon the business
2. Identify Risks - Risk Workshop
Workshop(s) sessions:
 Identification and classification
 Measurement and priorities
Key stages
 Brainstorm exercise to
identify potential operational
risks
 Risk categorisation
 Evaluate ideas to produce an
agreed list of risks
 Estimate expected impact
and likelihood
 Establish management
priorities
The Risk Management Process – 3. Analyse risks
Identify risks
Analyse risks
Evaluate risks
Treat risks
Monitor and review
Communicate and consult
Establish the context
3. Analyse Risks - Risk Factors
Factor 1
Factor 2
Is it going to happen to me?
What is it going to mean to
me if it does?
Likelihood
Impact
Uncertainty
Exposure
Chance
Vulnerability
Probability
Effect
Odds
Consequence
= Risk Scoring
The Risk Management Process – 4. Evaluate risks
Identify risks
Analyse risks
Evaluate risks
Treat risks
Monitor and review
Communicate and consult
Establish the context
4. Evaluate Risks - Risk Categorisation/Scoring
High
4. Evaluate Risks - Risk Prioritisation
4
1
3
8
KEY:
2
6
5
High risk
9
7
1
1
Low risk
1
0
Low
Impact
Moderate risk
High
Low
Likelihood
4. Evaluate Risks - Risk Matrix
Process Risks (heat map)
JW
Risk
mitigation
planned

KP
KB
DN
NW
DS





RT
HC
AC
TB
TB




-
Process Owner
Strategic Management Process
Core Business Process
Payroll
Banking Services
Selling/Implementation of New Services
Account Management
Business Support Process
IS
HR
Finance
Facilities Management
Procurement
Risk
Assm't
Internal Risks
th e
cha bus ine
nges
s
itsel s
Ma n
f
a gem
ent
a
stru nd cotn
ctur
ro l
Rela
e
tio n
sh
Ma n
a gee ip
mnt
Cha
nge
in p
ar
ma r
ket tners
pla c
e
H ow
erci
al a
nd L
eg al
Ma n
a gem
Info
ent
rm a
tion
Info
rm a
tion
P ro
cess
ing
Inte
grit
y
Com
l
eso u
rces
Fina
n cia
H um
an R
ra ti
ons
en ts
External Risks
O pe
xter
nal
ev
O th
er e
pcif
ic
Sect
or s
e
Env
iron
me
nta l
(g
ener
al)
(Example only – does not represent actual risk profile)
Alliances
The Risk Management Process – 5. Treat risks
Identify risks
Analyse risks
Evaluate risks
Treat risks
Monitor and review
Communicate and consult
Establish the context
5. Treat Risks - Strategies
Terminate the activity being undertaken which
generates risk
Terminate Reduce
Reduce the risk by introducing new or enhancing
existing controls
Pass on
Accept the risk where existing controls are felt to be
adequate
Accept
Pass on the risk to another party - for example, insure
against it or outsource the function
T.R.A.P.
5. Treat Risks - The Control Environment:
Information Processing Objectives
5. Treat Risks - The Control Environment:
Definitions of high-level control objectives…
Confidentiality: Prevention of disclosure of sensitive information resources to unauthorised
individuals or organisations
Integrity: Prevention of accidental corruption, deliberate unauthorised manipulation or
inaccurate entry/processing of business information resources
Availability: Prevention of business information stored in or processed by systems becoming
lost or unavailable for an extended period
Effectiveness: Maximising the conformance of outputs from an activity to a specification or
need (meaning: “Doing the right things”)
Efficiency: Optimising the ratio of inputs to outputs for an activity (meaning: “Doing things
right”)
Economy: Minimising the cost of the inputs to an activity or the resources needed to deliver
a service (meaning: “Doing things cheap”)
Compliance: Avoidance of breaches of any criminal and civil law, statutory, regulatory or
contractual obligations and of any security requirements.
5. Treat Risks - The Control Environment:
A Hierarchy of Internal Control
Internal controls can be categorised into the following:
1.
Preventive Controls – (“before the fact”)

2.
The most important control type since, if 100% effective (which it never is), none of the
others would be necessary – physical barriers, passwords
 Healthcare analogy: Prophylactics (e.g. immunisation programmes)
Detective Controls – (“after the fact”)
 If a preventive mechanism fails, this is the first type of control necessary to identify this fact
prior to correction – audit trails, monitoring
 Healthcare analogy: Diagnoses (e.g. check-ups; ECGs)
3.
Corrective Controls – (“before or after the fact”)

4.
This type of control is designed to correct a problem – change control, overrides
 Healthcare analogy: Surgery (e.g. heart by-pass; tumour excision)
Deterrent Controls – (“instead of the fact”)

Designed to advise against certain forms of action – security policy, logon warning
 Healthcare analogy: Government Health Warnings (e.g. tobacco; alcohol)
5. Treat Risks - Risk and Control
Residual or
‘exposed’ risk
Control
Pressure
Risk
controlled
Risks currently ‘hidden’
by control structure but
may be exposed by
major change
Unidentified
risks
IT Risk Management and Control – sources of inspiration
There are a number of industry IT security standards that can assist
compliance with governance requirements and in some cases grant a
badge to an organisation to say “We are all certified here” (!!!???) These
include:
•
The Standard of Good Practice for Information Security
Information Security Forum (ISF)
•
Control Objectives for Information and related Technology (COBIT)
•
Information Security Management Systems - Requirements (ISO27001)
Achieving Information Technology Governance - ISF
The Standard of Good Practice for
Information Security
•
•
•
•
Produced by the Information Security Forum (ISF), an
international association that co-operates in the development of
information security and risk management best practices.
“The ISF's work probably represents the most comprehensive
and integrated set of reports anywhere in the world ...”
Draws on the knowledge and experiences of the ISF's global
members as well as building on other standards such as ISO
27001 and COBIT”
Available as free download from www.securityforum.org
Achieving Information Technology Governance - ISF
Breakdown of the standard:
Achieving Information Technology Governance - COBIT
Control Objectives for Information and
related Technology (COBIT)
•
•
•
•
•
Developed by the IT Governance Institute (ITGI) and the
Information Security And Control Association (ISACA)
Provides over 300 IT control statements defining requirements
addressing value delivery, risk management, regulatory
compliance and IT investment.
Structured in 4 domains: Planning & Organisation; Acquisition
& Implementation; Delivery & Support; Monitoring
Can be integrated with other respected standards such as
ISO27001 and ISO9000
Available as free download from www.itgi.org
Achieving Information Technology Governance - COBIT
Comprises 4 control “domains”:
1.
Plan and Organise
2.
Acquire and Implement
3.
Deliver and Support
4.
Monitor and Evaluate
Containing 34 IT control processes, e.g.
1.
Define a Strategic Plan
2.
Manage Changes
3.
Ensure Continuous Service
4.
Monitor and Evaluate IT Performance
Achieving Information Technology Governance - COBIT
Topic structure
(example)
Achieving Information Technology Governance – ISO27001
Information Security Management Systems Requirements (ISO27001)
•
•
•
•
•
•
Developed initially as BS7799 by the British Standards Institute
Adopted as ISO17799 by the International Standards Organisation
Revised 2005 as ISO27001
Structured under 11 security clauses, 39 control objectives and 133
control processes
Can be integrated with other respected standards such as ISO9000
(quality), ISO14000 (environmental), ISO15000 (service delivery)
Not available for free !! See www.bsi-global.com
Achieving Information Technology Governance – ISO27001
1.
Security policy
2.
Organisation of information security
3.
Asset management
4.
Human resources security
5.
Physical and environmental security
6.
Communications and operations management
7.
Access control
8.
Information systems acquisition, development and maintenance
9.
Information security incident management
10. Business continuity management
11. Compliance
ISO27001 – High level
contents
Q. Should Risk Management and Control be considered to be
an Art or a Science?
A.
• Art: “The expression or application of human
creative skill and imagination”
• Science: “The intellectual and practical activity
encompassing the systematic study of the structure
and behaviour of the physical and natural world
through observation and experiment”
(From the Oxford Dictionary of English)
Potential principles for roles and responsibilities - Board
Board
Executive Group
Business Risk
Manager
Internal Audit
Businesses MDs/
Director
responsible for
matrixed
function
Risk Champions
All managers
and staff
 Determine risk appetite
 Agree risk policy and strategy
 Satisfy itself that all risks are
managed to an acceptable level
 Governance disclosure in Annual
Report
Potential principles for roles and responsibilities – Executive Group
Board
Executive Group
Business Risk
Manager
Internal Audit
Businesses MDs/
Director
responsible for
matrixed
function
Risk Champions
All managers
and staff
 Develop risk policy and strategy
 Analyse risk reports
 Report risk status to Board
Potential principles for roles and responsibilities – Business Risk Manager
Board
Executive Group
Business Risk
Manager
Internal Audit
Businesses MDs/
Director
responsible for
matrixed
function
Risk Champions
All managers
and staff
 Provide support to Executive Group to
develop risk policy and strategy and
analyse risk reports
 Analyse overall risk portfolio for
accumulations and interdependencies
 Assist businesses and matrixed
functions to identify risks and
establish treatment strategies
 Set standards for risk reports
 Maintain Risk Management
Information System
 Co-ordinate with other risk specialists
 Provide additional services (eg project
risk workshops) on request
Role is to facilitate the risk management process and
not to manage risks
Potential principles for roles and responsibilities – Internal Audit
Board
Executive Group
Business Risk
Manager
Internal Audit
Businesses MDs/
Director
responsible for
matrixed
function
Risk Champions
All managers
and staff
 Quality assurance of risk management
process
 Test compliance at all relevant levels
 Alongside Business Risk Manager
promote the principles of selfassessment of risk and control status
 Advise businesses in design of control
portfolio and sign-off adequacy
 Scope audit work on risk severity to
the business
 Undertakes special investigations upon
request
Potential principles for roles and responsibilities - Directors
Board
Executive Group
Business Risk
Manager
Internal Audit
Businesses MDs/
Director
responsible for
matrixed
function
Risk Champions
All managers
and staff
 Ensure adequate risk management
process is in operation
 Report risk profile to the Executive
Board
 Obtain assurance that controls relied
upon are working effectively and signoff controls assurance statement
 Matrixed functions also to report on
risk profiles and effectiveness of
controls to the businesses which “subcontracted” to them
Can consult with Business Risk Manager or Internal
Audit but remains responsible
Potential principles for roles and responsibilities – Risk Champions
Board
Executive Group
Business Risk
Manager
Internal Audit
Businesses MDs/
Director
responsible for
matrixed
function
Risk Champions
All managers
and staff
 Responsible to MD for operation of
risk management process
 Communicates risk management
policies and procedures to all
management and staff
 Acts as key contact point for managers
and staff to report risks identified and
proposed action
 Liaison between business/matrixed
functions re “sub-contracted” risks
 Liaison with risk management
specialists in “2nd line of defence”
Potential principles for roles and responsibilities – Managers and Staff
Board
Executive Group
Business Risk
Manager
Internal Audit
Businesses MDs/
Director
responsible for
matrixed
function
Risk Champions
All managers
and staff
 Management of risks within own
sphere of operation in accordance
with risk management policies and
procedures
 Report risk profiles to Risk
Champion