Lecture 3 Building an Information Risk Management Toolkit:

Practical Governance, Risk and Compliance

Dr. Barbara Endicott-Popovsky

Terminology

QUICK REVIEW

Todays organizations are concerned about GRC:

Governance (Enterprise) Risk Management

Compliance

What is GRC?
Processes, Systems and Controls by which organizations defend the interests of the stakeholders. e.g. IFRS, COSO, OECD, Clause 49 Possibility of loss or injury created by an external entity or by a person.

Governance

Risk Operational Risk

X Credit Risk
Compliance

X Market Risk

Concept of acting in accordance with established laws, regulations, protocols, standards and specifications. E.g. SoX, HIPAA, FCPA
Maclear LLC, 2012

GRC Components
GRC Reporting & Analytics
Dashboards Reporting Alerts

GRC Process Management

Audit Management Assessment Issue & Remediation Event & Loss Mgmt

GRC Application Controls

SOD & Access Application Configuration Transaction Monitoring

GRC Infrastructure Controls

Identity Mgmt Data Security Change Mgmt Records Mgmt Digital Rights

Maclear LLC, 2012

Governance, Risk Management and Compliance Governance

Overall management approach thru which senior executives direct/control
the entire organization, uses a combination of management information and hierarchical management control structures.

Risk management
Set of processes thru which management identifies, analyzes, and responds appropriately to risks that might adversely affect realization of the organization's business objectives.

Compliance
Conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.
Maclear LLC, 2012

GRC Eco-System
GRC is the integration of: Governance Risk Management Compliance Management Ethics Management Performance Management Internal Controls Information Assurance
Maclear LLC, 2012

Risk Management

Policy Management Compliance

Management

Corporate Governance
Maclear LLC, 2012

Risk Management
Definitions and Terms Purpose of Risk Management Managing the Upside and Downside of Business RM Framework Measuring Risk Risk Assessment Approach Risk Calculations Risk Reporting

Maclear LLC, 2012

Definitions and Terms

Risk (n)
Undesirable effect of uncertainty on achieving business objectives

Risk (v)
To put something in a state where it may encounter undesirable effects on achieving objectives due to uncertainty.

Risk Management System or Framework

A system that addresses risk and reward

Risk Management Process

Process that establishes context and communicates with stakeholders about, risk management; and identifies, analyzes, prioritizes, treats, and monitors while addressing reward.
Maclear LLC, 2012

Risk is like a fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.
Theodore Roosevelt

The purpose of risk management is to change the future, not to explain the past
The Book of Risk, Dan Borge
Maclear LLC, 2012

Purpose and Objectives of Risk Management

To gain a comprehensive view of the significant financial, strategic, compliance, and operational risks across an organization or entity. To build a sustainable process within the business to continually Assess, Improve, and Monitor the significant risks to achieving organizational objectives. Optimal use of resources through risk-based decision making
Cost-effective investments in defensive measures Proper focus on issues of highest concern

To assist the business in realizing opportunities through a broader understanding of the risks they face.
Maclear LLC, 2012

Managing Upside and Downside

Keep Us Out of Trouble
Growing Number of Restatements Bigger Fines and Settlements

Make Our Business Better

Coordinated Risk Activities Enhanced Business Processes

goal
Expanding Regulation Stiffer Sanctions Better Product Offerings

Effective Use of Technology Improved Communications and Disclosure

Catastrophic Reputational Consequences

Criminal Indictments

Reduced Total Risk Spend

All too confusing and overdone Except when we get in trouble

Must do it But how do we do it better?

Maclear LLC, 2012

Corporate Risk Dimensions

Risks can be identified at various levels of an organization called dimensions. For instance technology risks can be grouped into the following five risk dimensions: Organizational Risks Functional Risks Process & Technology Risks Data Risks External/Environmental Risks

Organizational

Functional

Process & Technology

Data
External & Environmental

Maclear LLC, 2012

Risk Calculations
Inherent Risk = Inherent Likelihood * Inherent Impact
Residual Risk = Residual Likelihood * Residual Impact Inherent Risk = Threat Likelihood x Magnitude of Impact
15 Maclear LLC, 2012

Impact Criteria
Description of Impact Reputational impact on stakeholders (i.e., customers, shareholders, and employees)
Permanent loss of stakeholder confidence resulting in legal action, interruption in Enterprise operations globally, and / or defection to competition

Score

Rating

Operating Income

Impact on Value (EPS Impact on Annual Guidance)

Significant reduction in market capitalization, significant draw on liquidity reserve (EPS >$0.25 )

Duration

Organizational and operational scope

Enterprise-wide: Inability to continue business operations Globally

Legal/ Compliance/ Environmental Impact

Global restrictions on conducting business in certain product lines, markets, or geographies.

Critical

>11% >$2.5B

Significant Recovery Period

High

>4.4% >$1.0B

Substantial reduction in market capitalization, substantial draw on liquidity reserve (EPS > $0.10) Limited reduction in market capitalization, limited draw on operating cash flow (EPS $0.05) Missed forecast(s) and/or budget(s), limited draw on operating cash flow (EPS $0.025) (EPS $0.01)

Recoverable in the Long Term (i.e., 24-36 months) Recoverable in the Short Term (i.e., 12-24 months) Temporary (i.e., less than 12 months)

2 or more divisions: Significant, ongoing interruptions to business operations within 2 or more divisions 1 or more division(s): Moderate impact within 1 or more division(s) 1 division: Limited impact within 1 division

Sustained losses in 2 or more stakeholder groups

Prohibited from conducting business in certain product lines, markets, or geographies.

Moderate

> 2.2% >$500M

Moderate loss in 1 or more stakeholder groups

Significant fines or limitations on conducting business in certain product lines, markets, or geographies.

2
1

Low

>1.10% >$250M

Limited to minor/shortterm loss in 1 stakeholder group

Limited actions against the company with limited effects on operations.

Minimal

> 0.50% >$100M

Minimal Impact

Maclear LLC, 2012

Likelihood Criteria
Score Rating Consideration Probability Frequency

Expected

The risk event or circumstance is relatively certain to occur, or has occurred within the past year The risk event or circumstance is highly likely to occur The risk event or circumstance is more likely to occur than not The risk event or circumstance occurring is possible The risk event or circumstance is only remotely probable

90-100%

Almost Yearly

Highly Likely

70-90%

Every 2 to 3 Years

Likely

50-70%

Every 4 to 6 Years

Not Likely

10-50%

Every 7 to 9 Years

Slight

< 10%

Every 10 Years and Beyond

Maclear LLC, 2012

Management Activity/Control Level Criteria

Score Rating Action Description
Controls and/or Management Activities properly designed and operating as intended, no defined opportunities for improvement. There are no outstanding High or Medium risk audit issues, no material weaknesses or significant deficiencies as defined by SOX or the external auditors. Controls and/or Management Activities properly designed and operating, with limited opportunities for improvement identified. There are no outstanding High risk audit issues, no material weaknesses or significant deficiencies as defined by SOX or the external auditors.

Very High

Effective

High

Limited Improvement Opportunity

Moderate

Moderate Improvement Opportunity Significant Improvement Opportunity

Key controls and/or Management Activities in place, with moderate opportunities for improvement identified. There are no outstanding High risk audit issues. There may be some significant deficiencies as defined by SOX or the external auditors.
Limited controls and/or Management activities in place, high level of risk remains, significant opportunity for improvement identified. There are outstanding High and / or Medium risk Audit issues or significant deficiencies as defined by SOX or the external auditors. Controls and/or Management Activities are non-existent or have major deficiencies and dont operate as intended, critical opportunity for improvement identified. There are outstanding High risk audit issues or material weakness(es) as defined by SOX or the external auditors.

Low

Very Low

Critical Improvement Opportunity

NOTE: When evaluating the Management/Control Level for a particular risk event or circumstance, make the evaluation based on the existing management activities and/or controls that exist both within defined business processes as well as at the entity level. The table provides guidance for choosing a score of 1 through 5.

Maclear LLC, 2012

Measuring Risk - Risk Map

Medium risk (high impact, low/ medium likelihood) Seek ways to reduce the impact of the risk, should it occur Investigate further to confirm likelihood is not higher than believed Assess processes and controls to ensure risk will not worsen
Risks falling at or near the risk tolerance level

High Risk (high impact, high likelihood) Seek risk responses: avoid, transfer/share, mitigate/reduce, accept Remediate items causing the risk Investigate the risk further to gain better insight on how to respond

Accept the risk, since it is at/near tolerance level Seek ways to reduce the likelihood or impact of the risk Assess processes/controls to ensure risk will not worsen

Risks falling at or near the risk tolerance level Accept the risk, since it is at/near tolerance level Seek ways to reduce the likelihood or impact of the risk Assess processes/controls to ensure risk will not worsen Low risk (low impact, low likelihood) Monitor the risk periodically to confirm it has not increased

Medium risk (low/medium impact, high likelihood) Seek ways to reduce the likelihood of the risk occurring Investigate further to confirm that impact is not higher than believed Assess processes and controls to ensure risk will not worsen
Maclear LLC, 2012

Risk Levels and Impact of Risk Treatment

Representative Sample #
Catastrophic 5

Tier 1 Risks Privacy / Security of Crit Data

4 7 5

10

Severe

Business Continuity Mgmt

Severity of Impact

3
Serious 3

Corruption Product Quality

8
4 5 6

Moderate

Financial Guidance and Mkt Expectations

HW Quality and Compliance Taxation of Foreign Earnings

Mild

Residual Risk Inherent Risk

1 2 3 4 5

Credit and Collections

9
Remote Unlikely Possible Likely Almost Certain

Y! Data Management

10 Likelihood of Occurrence

Maclear LLC, 2012

Risk Responses
Avoid: Choosing not to participate in the activity that is associated with or causing the risk. Transfer/share: Engaging another party to accept all or part of the risk. This can be through insurance, outsourcing risky tasks or entering into business arrangements/agreements whereby risk is shared across parties or reassigned to the other party. Mitigate/reduce: Decrease the level of risk by either reducing the probability that the risk might occur, or by taking measures that will cause the impact to be lessened should the risk occur. Accept: Acknowledge the risk and choose to do nothing, thereby accepting any potential impacts and consequences.

Maclear LLC, 2012

Risk Assessment Methodologies

National Institute of Standards & Technology (NIST) Methodology ISO 31000

OCTAVE
COSO ERM FRAP Risk Watch
22 Maclear LLC, 2012

Established Governance and Risk Management methodologies

McCumber cube - evaluating information assurance programs

Control Objectives for Information and related Technology

COSO Enterprise Risk Management

Companies often adopt a hybrid

23 Maclear LLC, 2012

Risk Assessment Approach

Planning and Scoping

Business risk scenarios

Risk Universe

Assessment Risks and Controls

Management Recommendations Action planning and execution

Action tracking and reporting

Maclear LLC, 2012

ERM Risk Universe

Strategic
Business Model: Vision & Direction Monetization Model Brand/Marketing Strategy Channel Strategy Pricing Strategy Competitive Positioning Value Chain Strategy Measurement & Monitoring Strategic Investments: M&A Partner Alliance Ecosystem Investments R&D Investments Market Dynamics: General Macro Environment Social-Political Technology Changes Talent Acquisition Customer Demand Consumer Lifestyle UGC/Sharing Use of Mobile vs. PC Piracy Business Model Disruptions: "Thin" Client Services Open Source Ad-Funded Virtualization OEM Disruption Channel Alienation Importance of S/W H/W Coupling

Operations
Product Development: Product Strategy Software Development Product Development Partners Product Quality/Integrity Product Security Product Release 3rd Party Subsystems or Functionality Integration Sales & Marketing: Research and Development Marketing Advertising Product Pricing Sales and Marketing - Partner Management Sales Contracting/Customer Pricing Order Management Public Relations Services: Consulting Services Customer Support Service Partners Customer Operations People: Culture Recruiting & Retention Global Resourcing Development and Performance Succession Planning Compensation & Benefits Labor Relations Employee Communications Organizational Structure Information Technology: Infrastructure Resiliency and Availability Data Privacy Data Management, Integrity and Quality Infrastructure Security Information System Access IT Governance Business Continuity: Natural Events Information Technology Recovery Business Process Recovery Crisis Management

Legal/ Compliance
Corporate Governance: Board Performance

Financial/ Reporting
Planning & Resource Allocation: Operational and Business Planning Budgeting and Forecasting Capital Expenditure Planning Outsourcing Treasury: Cash Management Hedging Investing Insuring Funding Credit and Collections Securities Lending Financial Reporting: GAAP Accounting External Reporting & Disclosure Internal Control/SOX 404/302 Statutory Reporting Internal Reporting Information & Reporting Integrity Tax: Tax Strategy and Planning Tax Optimization Transfer Pricing Property Taxes Tax Compliance Investor Relations: Communications Mergers, Acquisitions & Divestitures: Accounting for Mergers, Acquisitions & Divestitures Internal Audit:

Governance Framework Corporate Citizenship

Legal Compliance: Ethics and Business Conduct Anti-Corruption Fraud Legal: Contract IP/Source Code Protection IP Infringement Piracy/Counterfeiting Regulatory: Antitrust and Competition Law Export Control and Global Trade Labor Laws and Regulations Securities Environment Data Protection and Privacy Product Safety

Supply Chain: Manufacturing Planning and Forecasting/Product Availability Vendors/Partners/Contract Execution Man Made Events
Procurement Production Inventory & Capacity Management Distribution Channels Product Licensing/Subscriptions Product Compliance Software Piracy

Corporate Physical Security: Buildings and Facilities Threats of Violence Incidents of Theft Life Safety

Maclear LLC, 2012

Risk Reporting Risk Maps

Risk Maps The Risk Map displays individual unit risks in relation to each other based on the Impact and Likelihood assessment
Improve
Areas of high risk exposure with a low level of control must be key priority for improvements in management and control activities.
High

Monitor
Areas of high risk exposure where controls are deemed adequate should be monitored to provide ongoing assurance of control effectiveness.

(Impact x Likelihood)

Improve

Monitor

Accept
Areas of low risk exposure that also have a lower level of control may be consciously accepted by the organization.

Risk Exposure

Accept

Optimize

Optimize
Areas of low risk exposure with a high level of control may generate opportunities to optimize the management and control activities.

Low Low

Management/Control Activity Level

High

Maclear LLC, 2012

Risk Management Recap

Definitions and Terms Purpose of Risk Management Managing the Upside and Downside of Business RM Framework Measuring Risk Risk Assessment Approach Risk Calculations Risk Reporting

Maclear LLC, 2012

Risk Management

Policy Management Compliance

Management

Corporate Governance
Maclear LLC, 2012

Policy Management
Regulations and Corporate Policies Policies, Standards and Guidelines Policy Management Lifecycle Policy Compliance

Maclear LLC, 2012

Policy as Extension of the Rule of Law

Legal System

Corporate Boundary

Policy

Maclear LLC, 2012

Policy Management Lifecycle

1. Environment Changes Consider corporate, risk and regulatory environments

5. Policy Maintenance Consider Review and Archival processes

2. Policy Development Consider Ownership, Writing and Approval processes

4. Policy Monitoring Consider Enforcement and Exception management

3. Policy Communication Consider publication, Training and Attestation

Maclear LLC, 2012

Policy Compliance
Promote
Policy Deployment

Communicate the business value of compliance Communicate how we help achieve compliance value Deliver and support the processes and tools that enable compliance Prepare and support the people who are accountable for compliance
Monitor compliance processes and tools Measure the effectiveness of compliance, including processes and tools

Enable

Monitor
Compliance Management

Report

Report on the enterprise health of compliance Provide business group reporting to management

32
Maclear LLC, 2012

Policy Management
Recap
Regulations and Corporate Policies Policies, Standards and Guidelines Policy Management Lifecycle Policy Compliance

Maclear LLC, 2012

Risk Management Policy Management Compliance Management Corporate Governance

Maclear LLC, 2012

Compliance
Complying with Internal and External Factors Stakeholder challenges and expectations Emerging compliance issues Compliance Risk Universe Corporate Compliance Framework

Maclear LLC, 2012

What are we hearing about compliance

Traditional mindset driven by internal and external factors

Keep Us Out of Trouble

Potential Impacts of Non-Compliance
EXTERNAL FACTORS International Mandates and Voluntary Codes Legal/Regulatory Requirements Stock Exchange Listing Rules Stakeholder Expectations Ratings Agencies Public/Political Pressure Executive Removals INTERNAL FACTORS Transactions / M&A Global market expansion Outsourcing New product launches Overlapping compliance responsibilities

Bigger Fines and Settlements Stiffer Sanctions Criminal Indictments Catastrophic Reputational Consequences (Personal and Corporate)

goal

Maclear LLC, 2012

Increasing Stakeholder Expectations

Board Viewpoint Boards identify compliance as the most significant risk in 2007.
Regulatory M&A/Divestitures IT Market Dynamics Major Initiatives People/HR Source: Ernst & Young Audit Committee Perspectives, 2007 Source: The Conference Board, June 2005

CEO Viewpoint Legal risk is the highest rated area in which CEOs wont tolerate risk.
Legal Financial Operating Strategic

Investor Viewpoint Investors expect transparent compliance risk management strategies.

Compliance Insolvency Competitive Reputational Security Technology Source: Ernst & Young Global, August 2005

Maclear LLC, 2012

Emerging Issues and Questions

defining compliance? identifying their more significant compliance risks and emerging (frontier) issues?

How are leading companies

preventing and detecting non-compliance?

monitoring and measuring the effectiveness of their compliance function?

aligning and coordinating compliance and risk management activities? Embedding compliance into the business?
leveraging their compliance investments to provide benefit within their business units? .defining a successful compliance function and assigning ownership for its success?
Maclear LLC, 2012

Corporate Compliance Framework

Industry Standards and Regulations
Payment card industry data security standard FISMA (NIST 800-53 r3) Health insurance portability and accountability act Sarbanes-Oxley, privacy laws, etc.

Controls Framework
Identify and integrate
Regulatory requirements Customer requirements

Predictable Audit Schedule

Test effectiveness and assess risk Attain certifications and attestations Improve and optimize
Examine root cause of noncompliance Track until fully remediated

Assess and remediate

Eliminate or mitigate gaps in control design

Certification and Attestations

ISO/IEC 27001:2005 certification Statement of Auditing Standard 70 type II attestation
PCI DSS certification FISMA certification and accreditation
Maclear LLC, 2012

Compliance Process

Maclear LLC, 2012

Rationalized Requirements

Maclear LLC, 2012

Compliance Recap
Complying with Internal and External Factors Stakeholder challenges and expectations Emerging compliance issues Compliance Risk Universe Corporate Compliance Framework

Maclear LLC, 2012

Risk Management Policy Management Controls & Compliance Governance

Maclear LLC, 2012

Governance
Corporate governance Set of processes, customs, policies, laws, and institutions affecting the way a corporation is directed, administered or controlled Information Technology Governance, Subset of corporate governance focused on IT system performance and risk management.
Maclear LLC, 2012