Many components can make up the risk management capability; some of the key elements are discussed below:



Similar documents
Measuring Continuity Planning Program. Performance

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Enterprise Risk Management: Concepts & Issues

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Operational Risk Management Program Version 1.0 October 2013

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Strategically Linking Talent Management to the Business. Vice President of Talent Management, Learn.com

Designing a Metrics Dashboard for the Sales Organization By Mike Rose, Management Consultant.

The Balanced Scorecard

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts

GAINING CONTROL: Building Your Existing Framework into an ERM Model

IT Governance. What is it and how to audit it. 21 April 2009

How to Develop Successful Enterprise Risk and Vendor Management Programs

EVALUATION FRAMEWORK FOR SERVICE CATALOG MATURITY IN INFORMATION TECHNOLOGY ORGANIZATIONS

ITIL Foundation. Learn about process improvements, benefits, and challenges of ITIL, and get your ITIL Foundation certification.

International Diploma in Risk Management Syllabus

Performing a Compliance Risk Assessment for Compliance Auditing & Monitoring in Healthcare Organizations

Beyond risk identification Evolving provider ERM programs

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

Successfully identifying, assessing and managing risks for stakeholders

How To Change A Business Model

A Risk Management Standard

PRIORITIZING CYBERSECURITY

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

Risk appetite in the financial services industry A requisite for risk management today

Using Predictive Analytics to Increase Profitability Part II

ENTERPRISE RISK MANAGEMENT POLICY

Professional. Compliance & Ethics. 19 The cost of unethical behavior. 33 Graduate degrees in Compliance: Training the next generation

IT Governance (Worthwhile Exercise?) January 10, 2013 Presented by Chad Murphy, CISA

Blending Corporate Governance with. Information Security

Accenture Sustainability Performance Management. Delivering Business Value from Sustainability Strategy

Managing Risk at Bank of America Corporation. Overview

Management White Paper What is a modern Balanced Scorecard?

IT Governance: framework and case study. 22 September 2010

How ERM programs evolve

Calculating ITIL ROI

Transforming risk management into a competitive advantage kpmg.com

Organizing a Financial Institution to Deliver Enterprise-Wide Risk Management By Kaan H. Aksel PricewaterhouseCoopers

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

How To Transform It Risk Management

Accreditation Application Forms

Proactive Risk Management with SAP BusinessObjects

Using Corporate Performance Management to Deliver the CEO s Strategic Vision

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

The Business Continuity Maturity Continuum

10 Best-Selling Modules For Home Information Technology Professionals

Infrastructure Asset Management Report

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Enterprise-Wide Risk Assessment

Business Continuity / Disaster Recovery Context

Enterprise Risk Management: From Theory to Practice

COMMERCIAL BANK. Moody s Analytics Solutions for the Commercial Bank

ECM as a Shared Service: The New Frontier

Managing Organizational Performance: Linking the Balanced Scorecard to a Process Improvement Technique Abstract: Introduction:

Connecting data initiatives with business drivers

Strategic Risk Assessment. A first step for improving risk management and governance. COVER STORY. By Mark L. Frigo and Richard J.

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Placing a Value on Enterprise Risk Management ADVISORY

1. Verzeichnis der ITIL V3 Service Strategy Prozesse

Risk Management Strategy & Implementation Plan

Balanced Scorecard and Compensation

Internet Reputation Management Guide. Building a Roadmap for Continued Success

Transportation Security Administration Enterprise Risk Management. ERM Policy Manual. August 2014

Enterprise Project Management Initiative

WINNING THE BYOD GAME

ITIL v3 Service Manager Bridge

Feature. Developing an Information Security and Risk Management Strategy

Understanding and articulating risk appetite

Enterprise Risk Management

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

A monthly online survey and commentary presented by The Managing Partner Forum

Enterprise Risk Management & Information Technology

Measuring Diversity Results Series Article 1 By Dr. Edward E. Hubbard President & CEO, Hubbard & Hubbard, Inc.

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

The Balanced Scorecard (BSC)

The Essentials of Enterprise Risk Management. Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

How To Manage Risk

P3M3 Portfolio Management Self-Assessment

Scenario Analysis Principles and Practices in the Insurance Industry

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

The Performance Management Overview PERFORMANCE MANAGEMENT 1.1 SUPPORT PORTFOLIO

PERFORMANCE MANAGEMENT

Performance Management. Date: November 2012

Creating An Excel-Based Balanced Scorecard To Measure the Performance of Colleges of Agriculture

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager

ENTERPRISE RISK MANAGEMENT BENCHMARK REVIEW: 2013 UPDATE

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

U.S. Department of the Treasury. Treasury IT Performance Measures Guide

Based on 2008 Survey of 255 Non-IT CEOs/Executives

fmswhitepaper Why community-based financial institutions should practice enterprise risk management.

Principles for An. Effective Risk Appetite Framework

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

Information Governance 2.0. Abstract. What is Information Governance?

Management and Use of Information & Information Technology (I&IT) Directive. Management Board of Cabinet

Transcription:

Successful Security, Risk and Control Programs from DelCreo, Inc., an Enterprise Risk Management Company DelCreo Enterprise Risk Management Framework Part II Strategic planning is an area that I believe to be critical for the success of all security, risk and control managers. Details on our new Strategic Planning workshop are available at http://www.delcreo.com/delcreo/education_training/stratplan.cfm In November, I wrote about the DelCreo Framework for Enterprise Risk Management, and detailed half of this approach. This month (where did the December Newsletter go? - too much Christmas shopping!) I have detailed the second half of this framework. You can download a copy of this framework from the DelCreo website at http://www.delcreo.com/delcreo/free/docs/erm%20framework.ppt ENTERPRISE RISK MANAGEMENT CAPABILITIES Many risk assessments focus completely on identifying risks and potential exposures, and neglect a review of the capability of the organization to manage the risks. I believe that the most effective risk assessments identify, classify and articulate the likelihood/impact of risks, and then address the current ability of the organization to manage those risks. Many components can make up the risk management capability; some of the key elements are discussed below: Risk Functions Various risk management functions must participate, exchange information and processes, and cooperate on risk mitigation activities to fully implement an ERM capability. Some of these risk management functions might include: - Business Continuity Planning - Internal Audit - Insurance - Crisis Management - Privacy - Physical Security - Legal - Information Security - Credit Risk Management Any enterprise risk management assessment should include a review of the interactions, sharing of information, collaborative approach to managing risk, etc. that exists among the various risk management functions. Optimize magazine has recently had several excellent articles about enterprise risk management. One item recently grabbed my attention: In a recent survey conducted by Optimize, 40% of the companies that participated in the survey identified the CIO as the

executive most likely to own Enterprise Risk Management in their organization! (Optimize, January, 2004, p. 67). For more details and analysis on this article, see my blog at http://www.delcreo.com/delcreo/about_delcreo/delcreo_blog.html. In the last article, we briefly addressed risk appetite. DelCreo has researched and developed a method over the past seven years that many clients have used to successfully develop and define risk appetite. Using this method, the risk appetite is then used across various risk management functions, allows for the cascading of your risk appetite into the organization (and across) and becomes a critical link in operationalizing a concept that heretofore has been very nebulous. For more details, please contact me at mark@delcreo.com. Risk Management Processes Effective Risk management processes can be used across a wide range of risk management activities, and include the following: - Risk Strategy and Appetite - Define risk strategy and program. - Define risk appetite. - Determine treatment approach. - Establish risk policies, procedures, and standards. - Assess Risk - Identify and understand value and risk drivers. - Categorize risk within the business risk framework. - Identify methods to measure risk. - Measure risk. - Assemble risk profile and compare to risk appetite and capability. - Treat Risk - Identify appropriate risk treatment methods. - Implement risk treatment methods. - Measure and assess residual risk. - Monitor and Report - Continuously monitor risks. - Continuously monitor risk management program and capabilities. - Report on risks and effectiveness of risk management program and capabilities. Although the risk management process is relatively easy to understand, very few organizations have formally documented and implemented a risk management process that is used across the organization. Organization The Chief Risk Officer (CRO), Enterprise Risk Manager or even the Enterprise Risk Committee, may manage the enterprise risk management activities. Their duties would typically include: - Provide risk management program leadership, strategy and implementation direction. - Develop risk classification and measurement systems. - Develop and implement escalation metrics and triggers (Events, incidents, crisis, operations, etc.). - Develop and monitor early warning systems, based on escalation

metrics and triggers. - Develop and deliver organization-wide risk management training. - Coordinate risk management activities - some functions may report to CRO, while others will be coordinated. Culture - Creating and maintaining an effective risk management culture is very difficult. Special consideration should be given to the following areas: Knowledge Management - Institutional knowledge about risks, how they are managed, and experiences by other business units should be effectively captured and shared with relevant peers and risk managers. My experience in helping clients develop and implement online knowledge management systems has shown the potential benefit of knowledge management efforts: - Reduce the risk profile through the enhanced risk identification and management capability - Decrease the total cost of risk - Develop and deploy risk assessment tools globally - Enable the company to capture risk assessment information continuously - Allow users to access complex risk modeling and forecasting tools through simple web-based interfaces and applications - Become the universal starting point for all users as they look for risk related tools, people resources and knowledge (For more details, see http://www.delcreo.com/delcreo/services_products/riskweb.cfm ) Metrics - The accurate and timely collection of metrics is critical to the success of the risk management program. Effort should be made to connect the risk management programs to the Balanced Scorecard, EVA, or other business management/metrics systems. The balanced scorecard is a management system (not only a measurement system) that enables organizations to clarify their vision and strategy and translate them into action. It provides feedback around both the internal business processes and external outcomes in order to continuously improve strategic performance and results. When fully deployed, the balanced scorecard transforms strategic planning from an academic exercise into the reality of organizational measurement processes. (Robert S. Kaplan and David P. Norton's new book, Strategy Maps: Converting Intangible Assets into Tangible Outcomes is an excellent reference guide for this topic). EVA (Economic Value Added) is net operating profit minus an appropriate charge for the opportunity cost of all capital invested in an enterprise. As such, EVA is an estimate of true "economic" profit, or the amount by which earnings exceed or fall short of the required minimum rate of return that shareholders and lenders could get by investing in other securities of comparable risk. Stern Stewart developed EVA to help managers incorporate two basic principles of finance into their decision making. The first is that the primary financial objective of any company should be to maximize the wealth of its shareholders. The second is that the value of a company depends on

the extent to which investors expect future profits to exceed or fall short of the cost of capital. (Source: http://www.sternstewart.com/evaabout/whatis.php ) Training - Effective training programs are necessary to ensure that risk management programs are effectively integrated into regular business processes. For example, strategic planners, responsible for the strategic planning process, will need constant reinforcement regarding the risk assessment processes. (For more information on training, see http://www.delcreo.com/delcreo/education_training/proeducation.cfm ) Communication - Frequent and consistent communications around the purpose, success, and cost of the risk management program are a necessity to maintain management support and to continually garner necessary participation of managers and line personnel in the ongoing risk management program. Tools - Appropriate tools should be evaluated, purchased or developed to enhance the effectiveness of the risk management capability. Many commercial tools are available and their utility across a range of risk management activities should be considered. Quality information about risks is generally difficult to obtain and care should be exercised to ensure that information gathered by one risk function can be effectively shared with other programs. For example, tools used to conduct the business impact assessment should facilitate the sharing of risk data with the insurance program. (For more information our tools, see http://www.delcreo.com/delcreo/services_products/tools_technology.cfm ) Enterprisewide Integration ERM and other related security, risk and control programs should effectively collaborate across the enterprise and should have a direct connection to the strategic planning process, as well as the critical projects, initiatives, business units, functions, etc. Broad, comprehensive integration of risk management programs across the organization generally lead to more effective and efficient programs. Risk Attributes - Risk attributes relate to the ability or sophistication of the organization to understand the characteristics of specific risks including their lifecycle, how they act individually or in a portfolio, and other qualitative or quantitative characteristics. Lifecycle - Has the risk been understood throughout its lifecycle and have appropriate risk strategies been developed and implemented before the risk occurs, during the risk occurrence, and after the risk occurs? Achieving the optimal balance between risk and cost of managing risk is only possible if the lifecycle of the risk is well understand and risk strategies and treatments are appropriately applied. Individual and Portfolio - the most sophisticated organizations will look at each risk individually, as well as in aggregate or in portfolio. Viewing risks in a portfolio can help identify risks that are natural hedges against themselves, and risks that amplify each other. Knowledge of how risks interact as a portfolio can increase the

ability of the organization to effectively manage the risks at the most reasonable cost. Qualitative and Quantitative - Most organizations will progress from being able to qualitatively assess risks to being able to quantify risks. In general, the more quantifiable the information about the risk, the more treatment options available to the organization. Risk Functions, Risk Management Process, Organization, Culture, Tools, Enterprise-wide Integration and Risk Attributes are some of the most common elements of understanding your risk management capability. Other elements exist and may be more or less relevant depending on industry, geography, etc. Many people have struggled with the challenge of clearly defining what enterprise risk management is. I believe that clearly defining the capability elements of enterprise risk management is the key to understanding it. As this discipline evolves, DelCreo will continue to define and explore the most important capability components of enterprise risk management. Please see more on ERM Framework in the Risk Strategies That Work Section below. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~ DelCreo is an (ISC)_ Authorized Training Partner Register now for high quality, cost-effective training that really packs a punch! Upcoming DelCreo Professional Education courses: Date: Topic: Location: Feb. 17-18, 2004 CRISIS AND INCIDENT MANAGEMENT Dallas, TX http://www.delcreo.com/delcreo/education_training/incidentmgt21704dalla s.cfm Feb. 19-20, 2004 RoI FOR INFORMATION SECURITY Houston, TX http://www.delcreo.com/delcreo/education_training/inofsecroi21904housto n.cfm Feb. 23-24, 2004 BUILDING COMPLIANCE-BASED AWARENESS Las Vegas, NV http://www.delcreo.com/delcreo/education_training/compliance22304vegas. cfm Feb. 25, 2004 BCP METRICS-MANAGING A BCP PROGRAM San Jose, CA http://www.delcreo.com/delcreo/education_training/bcpmetrics22504sanjos e.cfm Feb. 26, 2004 STRATEGIC PLANNING San Jose, CA http://www.delcreo.com/delcreo/education_training/stratplan22604sanjose.cfm

Mar. 9-10, 2004 RAPID RISK ASSESSMENT WORKSHOP Dallas, TX http://www.delcreo.com/delcreo/education_training/rapidrisk3904dallas.c fm Mar. 11, 2004 BCP METRICS-MANAGING A BCP PROGRAM Dallas, TX http://www.delcreo.com/delcreo/education_training/bcpmetrics31104dallas.cfm Mar. 16, 2004 STRATEGIC PLANNING Chicago, IL http://www.delcreo.com/delcreo/education_training/stratplan31604chicago.cfm Mar. 17-18, 2004 BUILDING COMPLIANCE-BASED AWARENESS Atlanta, GA http://www.delcreo.com/delcreo/education_training/compliance31704atlant a.cfm Mar. 31-Apr. 1, 2004 CRISIS AND INCIDENT MANAGEMENT Cleveland, OH http://www.delcreo.com/delcreo/education_training/incidentmgt33104clevo H.cfm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~ Risk Strategies That Work on ERM Framework o Risk assessments should identify and understand risks as well as the organizations ability to manage risk o Develop and articulate your organization's risk appetite, this is a key element of an effective ERM approach o Create an ERM Council/Committee, even it is ad hoc, and in the beginning you are the only one driving the show. o Attempt to document/develop the roles and responsibilities of the various risk management related organizations, how you will collaborate, share information, etc. How will the most common risks be handled? Get agreement among the key players o Any enterprise risk management assessment should include a review of the interactions, sharing of information, collaborative approach to managing risk, etc. that exists among the various risk management functions o Understand the lifecycle aspects of key risks. Develop risk strategies that address the most critical risks before, during and after they occur *********************************************************************** ******* DelCreo, Inc. An Enterprise Risk Management Company Helping Risk Professionals Develop and Rollout Successful Risk Programs

U.S./Toll-free: 866.DELCREO International: 001/801.756.4180 www.delcreo.com info@delcreo.com 2003 DelCreo, Inc. All rights reserved. You are free to use material from the Successful Risk Programs ezine in whole or in part, as long as you include the following complete attribution, including live website link. By DelCreo, Inc. - An Enterprise Risk Management Company. Please visit DelCreo's website at www.delcreo.com for additional risk articles, resources, tools, and services for Risk Professionals on how to develop and rollout successful risk programs. *********************************************************************** ****** To unsubscribe or change subscriber options visit: http://www.aweber.com/z/r/?taymlcymtmysdoxsdeym

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information