Enterprise Risk Management for Community Banks Brian T. O Hara CISA, CISM, CRISC, CISSP CISO The Mako Group, LLC btohara@makopro.com http://www.linkedin.com/in/brianohara/ Twitter: @brian_t_ohara
The Mako Group, LLC IT & Info Sec Auditing IT Risk Assessments Security Training Vulnerability Assessments Social Engineering PCI DSS 3 FISMA Audits Penetration Testing Gap Assessments SOC 1 and SOC 2 SOX 404 HIPAA Virtual CISO
The Mako Group, LLC 1570 Woodward Ave. Detroit, MI 48266 Phone: 313.355.0538 Email: detroit@makopro.com 110 West Berry Street - Suite 2400 Fort Wayne, IN 46802 Phone: 260.267.5999 Email: fortwayne@makopro.com 8555 River Road - Suite 315 Indianapolis, IN 46240 Phone: 317.941.MAKO (6256) Email: indianapolis@makopro.com
BIO CISO of The Mako Group, LLC ISSA Fellow Program Chair, CINT Ivy Tech NE Adjunct Faculty Indiana Tech CISSP - Certified Info Systems Security Prof. CISA - Certified Information Systems Auditor CISM - Certified Information Security Manager CRISC - Certified Risk Info System Controls
BIO CAE of The Mako Group, LLC CPA MSA Masters of Accountancy ISACA Detroit Chapter CISA - Certified Information Systems Auditor Previously ran the Sarbanes-Oxley and FDICIA programs for Ally Bank
What Is ERM? Enterprise Risk Management ( ERM ) is a strategic business discipline that supports the achievement of an organization s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. (http://www.rims.org/erm/pages/whatiserm.aspx)
ERM Elements? Tied to Bank s Strategic Plan Chief Risk Officer (Top Down Approach) Correlations (non-silo) Target Objectives Measurable Focus on Outcomes
ERM Principles Not just about Risk Mitigation It is a management system Management Model that leads to action Unified Approach Answers Key Questions
Quiz 1 Who Invented the World Wide Web? Tim Berners-Lee
ERM Key Questions Do we understand risk across the enterprise? What is the reward? Is the risk acceptable? Is the reward great enough? Does it link strategies? Is it supported from the top down? Are discussions made with input to business as opposed to protecting lines of business?
Who Is ERM Designed For? Community Banks? Size? Complexity? Affordability? Value Add?
Examples Larger Banks Publicly Traded Companies (SOX) Service Providers (CORE)
ERM Value? Provides a more robust picture of risk Corrects Silo Risk Mentality Provides Greater Transparency Delivers Effective Resource Allocation Shifts Focus from Reactive to Proactive Examiner Expectations
Sound ERM IT Risks Rolled Up NO Risk Silos Integrated with Business Strategy Provides More Accurate Picture of Tolerance More Effective Resource Allocation Proactive v Reactive Helps Identify Key Controls
Poor ERM Risk Silos Poor View of Overall Risks Reactive rather than Proactive Examples Target TJ Max Heartland Payment Processors
Quiz 2 What was the first commercial web browser?
ERM Frameworks? COSO RIMS ISO COBIT FFIEC Guidance Johnson and Johnson NIST
Risk Management Frameworks? CyberSecurity (Exec Order 13636) NIST COBIT COSO ISO FFIEC Guidance
Communicating ERM Across Enterprise Quantitative v & Qualitative $ to Risk to Exposure Opportunities
How To Implement ERM Pick a framework Get top management buy in Establish Enterprise stakeholders
How to Discuss with Sr. Mgmt Cost Risk Opportunity
How to Explain Quantitative v Qualitative Information
Quiz 3 Who sent the first official email over the internet? Mark Tomlinson
When is ERM not a good fit? Lack of Sr. Management Buy in Size and complexity of operations Too expensive, cost v benefit
ERM Problems Lack of single unifying framework Remains reactive Discounts insiders (relies on experts ) Does not calculate mitigation costs Fails to rank risk Lack of academic studies showing effectiveness
Cybersecurity Framework NIST Creation Fits smaller community banks Easily tailored and scalable Encompasses ERM key components Provides control mappings to standards Above and beyond examiner expectations Affordable implementations
The Mako Group s Approach (Hybrid) Guided (organization is the expert) Holistic Eclectic Customized based on organization needs Based on value added Built to optimize resource allocation
Conclusions ERM is not always a good fit Can be costly Can add unforeseen visibility Can add predictive value Can still provide guiding principles
Summary ERM value still unclear ERM is a holistic approach More Complex More about choosing pieces that work for you Hybrid approaches using models like Cybersecurity Framework provides best of both worlds
THANKS Brian T. O Hara CISA, CISM, CRISC, CISSP CISO The Mako Group, LLC btohara@makopro.com http://www.linkedin.com/in/brianohara/ Twitter: @brian_t_ohara