Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

Transcription

1 Enterprise Risk Management Process Improvement

2 2 Contact Information Contact Information Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone:

3 3 My Experience 8 Years Information Security Information Security Program Design and Implementation IT Risk Assessment Penetration Testing Vulnerability Assessments Awareness Programs Vendor Management Business Continuity Technology Selection Security Consulting IT Audit ISP audit Controls audit Wire transfer audit Internet banking audit

4 Dakota State Nationally Recognized 4 National Security Agency Department of Homeland Security 4,000 universities in the country Only 86 named national centers in the past 10 years

5 5 National Centers of Academic Excellence

6 6 Dakota State University Summary Dakota State University is the only National Center of Excellence focused on the security of banks

7 7 Secure Banking Solutions Offshoot of the national center of excellence in bank security at Dakota State University Provides the help bank needs to have good security and successful IT exams

8 8 What is ERM? Is it Loan Review? Is it Stress Testing? Is it Multifactor Authentication? Is it Information Technology or Information Security? Is it the execution of controls or measurement of processes in place? Inch deep and a mile wide?

9 9 Enterprise Risk Management (ERM) ERM is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (FDIC Internal ERM Program and COSO) ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity s risk management in a changing operating environment. (Protiviti consulting firm)

10 10 FFIEC Definitions Supervision of Technology Service Providers Booklet The agencies expect financial institutions to have in place a comprehensive, enterprise-wide risk management process that addresses vendor management for relationships with TSPs. Advisory on Interest Rate Risk Management Institutions should ensure IRR exposures are incorporated and evaluated as part of the enterprise-wide risk identification and analysis process.

11 11 OCC Timothy Long - Testimony to Senate Supervisors and regulators need to make sure that the risk management and control framework within financial institutions keeps pace with the changes in instruments, markets and business models, and that firms do not engage in activities without having adequate controls. stressed the need for firms to have robust internal controls and risk management processes for complex structured finance transactions. Stress tests are a critical tool for effective enterprise-wide risk assessments.

12 12 Federal Reserve Governor Susan Schmidt Bies North ERM Roundtable In some cases, firms may be practicing good risk management on an exposure-by-exposure basis, but they may not be paying close enough attention to aggregation of exposures across the entire organization. Rapid growth can place considerable pressure on, among other areas, an organization's management information systems, change-management controls, strategic planning, credit concentrations, and asset/liability management. Areas of concern mentioned: Compliance Risk, Operational Risk, Information Security, Mutual Funds, Credit Derivatives. An enterprise-wide approach is appropriate for setting objectives across the organization, instilling an enterprise-wide culture, and ensuring that key activities and risks are being monitored regularly.

13 13 Summary of Guidance Stress Testing Credit Concentrations Internal Controls Risk Management Processes IRR Exposures Asset Liabilities Management Vendor Management ERM Management of Information Systems

14 14 COSO Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines: A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite Able to provide reasonable assurance to an entity s management and board of directors Geared to achievement of objectives in one or more separate but overlapping categories

15 15 COSO Objectives Strategic high-level goals, aligned with and supporting its mission Operations effective and efficient use of its resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations.

16 16 COSO Components Internal Environment The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. (PP) Objective Setting Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity s mission and are consistent with its risk appetite. (Risk Mitigation Goals) Event Identification Internal and external events affecting achievement of an entity s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management s strategy or objective-setting processes. (Threats) Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. (RRS)

17 17 COSO Components Risk Response Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entity s risk tolerances and risk appetite. Control Activities Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.

18 18 COSO Summary Risk Assess Monitor Control Risk

19 19 COSO Framework Mapping #2 #3 #1

20 20 #1 - Business Processes Administrative Affiliate Back-Office Customer Service Finance Lending Marketing Regulatory Retail (Deposits) Information Technology

21 21 #2 - Threat Areas Categories commonly used in FFEIC booklets. Operational Reputational Compliance Financial Strategic OCC adds: Credit Interest Rate Liquidity Price

22 22 IT Risk Management Process 10) Improve Risk Manageme nt Programs 1) Establish Risk Mitigation Goals 2) Identify IT Assets 9) Document Compliance and Communicat e 3) Evaluate Protection Profile 8) Identify Additional Controls 4) Identify Threats I & P Optional 7) Calculate Residual Risk Score 6) Identify Mitigating Controls 5) Calculate Inherent Risk Score

23 23 Enterprise Risk Management Process 10) Improve Risk Manageme nt Programs 1) Establish Risk Mitigation Goals 2) Identify Business Process 9) Document Compliance and Communicat e 3) Evaluate Protection Profile 8) Identify Additional Controls 4) Identify Threats I & P Optional 7) Calculate Residual Risk Score 6) Identify Mitigating Controls 5) Calculate Inherent Risk Score

24 24 Lending Example 1. High Risk Goal = Mitigate 75% of risk 2. Business Process = Lending 3. Protection Profile (H/M/L) Reputational Importance Financial Importance Legal Importance Strategic Importance 4. Threats (Impact/Probability) Capital Adequacy Financial Loss Fraud Loss Interest Rates 5. Inherent Risk Score 6. Controls Loan Policy Loan Risk Assessment Credit Underwriting Procedures Loan Review 7. Residual Risk Score

25 25 Information Technology Example 1. Medium Risk Goal = Mitigate 60% of risk 2. Business Process = Information Technology 3. Protection Profile (H/M/L) Reputational Importance Financial Importance Legal Importance Strategic Importance 4. Threats (Impact/Probability) Data Breach Malicious Software Business Interruption Third Party Relationship 5. Inherent Risk Score 6. Controls External IT Audit Information Security Program IT Risk Assessment Business Continuity Plan 7. Residual Risk Score

26 26 Back Office Example 1. Medium Risk Goal = Mitigate 60% of risk 2. Business Process = Back Office 3. Protection Profile (H/M/L) Reputational Importance Financial Importance Legal Importance Strategic Importance 4. Threats (Impact/Probability) Failed Transaction Posting Error NACHA Violation Regulatory Examination 5. Inherent Risk Score 6. Controls ACH Policy Separation of Duties External ACH Audit Wire Transfer Limits 7. Residual Risk Score

27 27 Report Risk Mitigation

28 28 Report Threat Source

29 29 Risk Management Compliance Program Improvements Business Process Improvements Improve Risk Management Programs Inform and Empower Management Audit Program Improvements

30 30 ERM Process Improvement

31 31 Measuring Controls How will you determine if a control is implemented? Do you need to be an expert in those areas to determine if a control is implemented? If we are going an mile wide and an inch deep, how can I get more confident in a control? Hasn t most of these things been evaluated already?

32 32 Capability Maturity Model

33 33 Aggregating Risk ACH Risk Assessment Business Impact Analysis (BCP) IT Risk Assessment Vendor Risk Assessment BSA Risk Assessment Maturing Control Measurements Commercial Customer Risk Assessment

34 34 BSA Risk Assessment Account types utilized Commercial DDA Domestic Wires Cashiers Checks Risk Areas Changing Customer Base High Intensity Drug Trafficking Area (HIDTA) High Intensity Financial Crime Area (HIFCA) Mitigating Controls BSA Policy CIP Procedures BSA Audit

35 35 IT Risk Assessment Asset Types Core Banking Systems Workstations Internet Banking Risk Areas Data Loss Malware Unauthorized Access Mitigating Controls IT Audit Vulnerability Assessment Penetration Test

36 36 Business Impact Analysis Business Processes Lending Back Office Administrative Risk Areas Maximum Allowable Downtime Dependencies Impacts (Financial, Legal ) Mitigating Controls Emergency Procedures Alternative Site Restoration Procedures

37 37 Vendor Risk Assessment Relationships Core Provider Lending Software Provider Statement Printer Risk Areas Customer Data Availability Mitigating Controls Contract Review Ongoing Due Diligence SSAE16 Review

38 38 Commercial Account Risk Assessment Commercial Customers Wilson s Title/Escrow Company Regional Medical Center Widget Manufacturing Risk Areas Corporate Account Takeover Unauthorized Transactions Data Loss / Breach Mitigating Controls Customer Education Multifactor Authentication Customer Risk Assessment

39 39 ACH Risk Assessment Transaction Types Third Party Senders ACH Systems Direct Access Risk Areas Transaction Risk Operational Risk Credit Risk Mitigating Controls Credit Risk Policy Third Party Oversight Written Agreements

40 40 ERM Control Evaluation Control Implementation Is a control implemented or not implemented Control Effectiveness How well is the institution managing risk with the implemented control ERM Process Control Implementation (Area) Risk Assessment Control Effectiveness Better Decision Making

41 41 ERM Summary Formalize a Risk Assessment process Start a mile wide and inch deep It measures if its implemented, it doesn t implement Measure against your goals and identify additional risk mitigation efforts Put controls into actions with internal processes or external resources

42 42 Enterprise Risk Management SBS ERM Approach Model after COSO Framework Process Improvement Provide a risk management process that can be applied to all business process Establish risk mitigation goals for the organization Empower the board and management to identify specific areas of risk and suggest mitigating controls Improve risk management practices within each business processes Address compliance requirements Drive internal and external audit programs

43 43 What is ERM? Is it Loan Review? Is it Stress Testing? Is it Multifactor Authentication? Is it Information Technology or Information Security? Is it the execution of controls or measurement of processes in place? Inch deep and a mile wide?

44 44 Contact Information Contact Information Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: