Enterprise Risk Management for Community Banks

Size: px

Start display at page:

Download "Enterprise Risk Management for Community Banks"

Milo Parrish
7 years ago
Views:

1 Enterprise Risk Management for Community Banks Brian T. O Hara CISA, CISM, CRISC, CISSP CISO The Mako Group, LLC btohara@makopro.com

2 The Mako Group, LLC IT & Info Sec Auditing IT Risk Assessments Security Training Vulnerability Assessments Social Engineering PCI DSS 3 FISMA Audits Penetration Testing Gap Assessments SOC 1 and SOC 2 SOX 404 HIPAA Virtual CISO

3 The Mako Group, LLC 1570 Woodward Ave. Detroit, MI Phone: West Berry Street - Suite 2400 Fort Wayne, IN Phone: fortwayne@makopro.com 8555 River Road - Suite 315 Indianapolis, IN Phone: MAKO (6256) indianapolis@makopro.com

4 BIO CISO of The Mako Group, LLC ISSA Fellow Program Chair, CINT Ivy Tech NE Adjunct Faculty Indiana Tech CISSP - Certified Info Systems Security Prof. CISA - Certified Information Systems Auditor CISM - Certified Information Security Manager CRISC - Certified Risk Info System Controls

5 BIO CAE of The Mako Group, LLC CPA MSA Masters of Accountancy ISACA Detroit Chapter CISA - Certified Information Systems Auditor Previously ran the Sarbanes-Oxley and FDICIA programs for Ally Bank

6 What Is ERM? Enterprise Risk Management ( ERM ) is a strategic business discipline that supports the achievement of an organization s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. (

7 ERM Elements? Tied to Bank s Strategic Plan Chief Risk Officer (Top Down Approach) Correlations (non-silo) Target Objectives Measurable Focus on Outcomes

8 ERM Principles Not just about Risk Mitigation It is a management system Management Model that leads to action Unified Approach Answers Key Questions

9 Quiz 1 Who Invented the World Wide Web? Tim Berners-Lee

10 ERM Key Questions Do we understand risk across the enterprise? What is the reward? Is the risk acceptable? Is the reward great enough? Does it link strategies? Is it supported from the top down? Are discussions made with input to business as opposed to protecting lines of business?

11 Who Is ERM Designed For? Community Banks? Size? Complexity? Affordability? Value Add?

12 Examples Larger Banks Publicly Traded Companies (SOX) Service Providers (CORE)

13 ERM Value? Provides a more robust picture of risk Corrects Silo Risk Mentality Provides Greater Transparency Delivers Effective Resource Allocation Shifts Focus from Reactive to Proactive Examiner Expectations

14 Sound ERM IT Risks Rolled Up NO Risk Silos Integrated with Business Strategy Provides More Accurate Picture of Tolerance More Effective Resource Allocation Proactive v Reactive Helps Identify Key Controls

15 Poor ERM Risk Silos Poor View of Overall Risks Reactive rather than Proactive Examples Target TJ Max Heartland Payment Processors

16 Quiz 2 What was the first commercial web browser?

17 ERM Frameworks? COSO RIMS ISO COBIT FFIEC Guidance Johnson and Johnson NIST

18 Risk Management Frameworks? CyberSecurity (Exec Order 13636) NIST COBIT COSO ISO FFIEC Guidance

19 Communicating ERM Across Enterprise Quantitative v & Qualitative $ to Risk to Exposure Opportunities

20 How To Implement ERM Pick a framework Get top management buy in Establish Enterprise stakeholders

21 How to Discuss with Sr. Mgmt Cost Risk Opportunity

22 How to Explain Quantitative v Qualitative Information

23 Quiz 3 Who sent the first official over the internet? Mark Tomlinson

24 When is ERM not a good fit? Lack of Sr. Management Buy in Size and complexity of operations Too expensive, cost v benefit

25 ERM Problems Lack of single unifying framework Remains reactive Discounts insiders (relies on experts ) Does not calculate mitigation costs Fails to rank risk Lack of academic studies showing effectiveness

26 Cybersecurity Framework NIST Creation Fits smaller community banks Easily tailored and scalable Encompasses ERM key components Provides control mappings to standards Above and beyond examiner expectations Affordable implementations

27 The Mako Group s Approach (Hybrid) Guided (organization is the expert) Holistic Eclectic Customized based on organization needs Based on value added Built to optimize resource allocation

28 Conclusions ERM is not always a good fit Can be costly Can add unforeseen visibility Can add predictive value Can still provide guiding principles

29 Summary ERM value still unclear ERM is a holistic approach More Complex More about choosing pieces that work for you Hybrid approaches using models like Cybersecurity Framework provides best of both worlds

30 THANKS Brian T. O Hara CISA, CISM, CRISC, CISSP CISO The Mako Group, LLC btohara@makopro.com

NEC Managed Security Services

NEC Managed Security Services www.necam.com/managedsecurity How do you know your company is protected? Are you keeping up with emerging threats? Are security incident investigations holding you back? Is