Michigan Bankers Association Best 2014 enterprise risk management ppt
•Télécharger en tant que PPTX, PDF•
1 j'aime•638 vues
Enterprise Risk Management
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Michigan Bankers Association Best 2014 enterprise risk management ppt
Similaire à Michigan Bankers Association Best 2014 enterprise risk management ppt (20)
Dernier
Dernier (20)
Michigan Bankers Association Best 2014 enterprise risk management ppt
- 1. Enterprise Risk Management for Community Banks Brian T. O’Hara CISA, CISM, CRISC, CISSP CISO The Mako Group, LLC btohara@makopro.com http://www.linkedin.com/in/brianohara/ Twitter: @brian_t_ohara
- 2. The Mako Group, LLC • IT & Info Sec Auditing • IT Risk Assessments • Security Training • Vulnerability Assessments • Social Engineering • PCI DSS 3 • FISMA Audits • Penetration Testing • Gap Assessments • SOC 1 and SOC 2 • SOX 404 • HIPAA • Virtual CISO
- 3. The Mako Group, LLC • 1570 Woodward Ave. Detroit, MI 48266 Phone: 313.355.0538 Email: detroit@makopro.com • 110 West Berry Street - Suite 2400 Fort Wayne, IN 46802 Phone: 260.267.5999 Email: fortwayne@makopro.com • 8555 River Road - Suite 315 Indianapolis, IN 46240 Phone: 317.941.MAKO (6256) Email: indianapolis@makopro.com
- 4. BIO • CISO of The Mako Group, LLC • ISSA Fellow • Program Chair, CINT Ivy Tech NE • Adjunct Faculty Indiana Tech • CISSP - Certified Info Systems Security Prof. • CISA - Certified Information Systems Auditor • CISM - Certified Information Security Manager • CRISC - Certified Risk Info System Controls
- 5. BIO • CAE of The Mako Group, LLC • CPA • MSA – Masters of Accountancy • ISACA Detroit Chapter • CISA - Certified Information Systems Auditor • Previously ran the Sarbanes-Oxley and FDICIA programs for Ally Bank
- 6. What Is ERM? • Enterprise Risk Management (“ERM”) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. (http://www.rims.org/erm/pages/WhatisERM.aspx)
- 7. ERM Elements? • Tied to Bank’s Strategic Plan • Chief Risk Officer (Top Down Approach) • Correlations (non-silo) • Target Objectives • Measurable • Focus on Outcomes
- 8. ERM Principles • Not just about Risk Mitigation – It is a management system • Management Model that leads to action • Unified Approach • Answers Key Questions
- 9. Quiz 1 • Who Invented the World Wide Web? • Tim Berners-Lee
- 10. ERM Key Questions • Do we understand risk across the enterprise? • What is the reward? • Is the risk acceptable? • Is the reward great enough? • Does it link strategies? • Is it supported from the top down? • Are discussions made with input to business as opposed to protecting lines of business?
- 11. Who Is ERM Designed For? • Community Banks? • Size? • Complexity? • Affordability? • Value Add?
- 12. Examples • Larger Banks • Publicly Traded Companies (SOX) • Service Providers (CORE)
- 13. ERM Value? • Provides a more robust picture of risk • Corrects Silo Risk Mentality • Provides Greater Transparency • Delivers Effective Resource Allocation • Shifts Focus from Reactive to Proactive • Examiner Expectations
- 14. Sound ERM • IT Risks Rolled Up • NO Risk Silos • Integrated with Business Strategy • Provides More Accurate Picture of Tolerance • More Effective Resource Allocation • Proactive v Reactive • Helps Identify Key Controls
- 15. Poor ERM • Risk Silos • Poor View of Overall Risks • Reactive rather than Proactive • Examples – Target – TJ Max – Heartland Payment Processors
- 16. Quiz 2 • What was the first commercial web browser?
- 17. ERM Frameworks? • COSO • RIMS • ISO • COBIT • FFIEC Guidance • Johnson and Johnson • NIST
- 18. Risk Management Frameworks? • CyberSecurity (Exec Order 13636) • NIST • COBIT • COSO • ISO • FFIEC Guidance
- 19. Communicating ERM Across Enterprise • Quantitative v & Qualitative • $ to Risk to Exposure • Opportunities
- 20. How To Implement ERM • Pick a framework • Get top management buy in • Establish Enterprise stakeholders
- 21. How to Discuss with Sr. Mgmt • Cost • Risk • Opportunity
- 22. How to Explain • Quantitative v Qualitative Information
- 23. Quiz 3 • Who sent the first official “email” over the internet? • Mark Tomlinson
- 24. When is ERM not a good fit? • Lack of Sr. Management Buy in • Size and complexity of operations • Too expensive, cost v benefit
- 25. ERM Problems • Lack of single unifying framework • Remains reactive • Discounts insiders (relies on “experts”) • Does not calculate mitigation costs • Fails to rank risk • Lack of academic studies showing effectiveness
- 26. Cybersecurity Framework • NIST Creation • Fits smaller community banks • Easily tailored and scalable • Encompasses ERM key components • Provides control mappings to standards • Above and beyond examiner expectations • Affordable implementations
- 27. The Mako Group’s Approach (Hybrid) • Guided (organization is the expert) • Holistic • Eclectic • Customized based on organization needs • Based on value added • Built to optimize resource allocation
- 28. Conclusions • ERM is not always a good fit • Can be costly • Can add unforeseen visibility • Can add predictive value • Can still provide guiding principles
- 29. Summary • ERM value still unclear • ERM is a holistic approach • More Complex • More about choosing pieces that work for you • Hybrid approaches using models like Cybersecurity Framework provides best of both worlds
- 30. THANKS Brian T. O’Hara CISA, CISM, CRISC, CISSP CISO The Mako Group, LLC btohara@makopro.com http://www.linkedin.com/in/brianohara/ Twitter: @brian_t_ohara
Notes de l'éditeur
- As an information security firm, The Mako Group specializes in protection - providing security through auditing, testing and assessments. And, we do it all with the highest quality standards possible. That means an exclusive team of executive-level staff, easy-to-understand reviews and a proprietary audit guide that's the most comprehensive in the industry. When you choose The Mako Group, you're gaining a partnership that dives into the very core of your overall security, ensuring that your company and entire control environment are stronger as a result. And that adds up to a better, more secure future for you.
- Mr. O’Hara has been involved in the field of information security for over 17 years and currently serves as the CISO for The Mako Group, LLC, an IT Security Consulting company specializing in Auditing and Information Security for the Health Care, Manufacturing, Retail and Financial industries as well as both the private and public sectors. As CISO, his responsibilities include overseeing and managing security related functions including but not limited to audit and regulatory compliance reviews, development and implementation of Risk Management frameworks and internal security and development of strategic planning with regard to emerging technologies. He holds a BA from Indiana University, Bloomington and an MA from the University of North Dakota. When Brian isn’t out speaking or trying to solve your business security problems he spends time riding his bike, playing one of seven instruments and walking one or more of his five dogs (shelties named after musicians). In addition he enjoys eating his wife Brenda’s famous gourmet cooking
- Shane O’Donnell has been involved in the fields of Accounting, Risk Management and Audit for over 10 years and currently serves as the Chief Audit Executive for The Mako Group, an IT Security Consulting company specializing in Auditing and Information Security for the Health Care, Manufacturing, Retail and Financial industries as well as both the private and public sectors. As CAE his duties include overseeing the overall audit function, developing The Mako Group engagement methodology and servicing The Mako Group’s clients. Shane holds a BA in Accounting from Western Michigan University and an MSA in Accounting from Walsh College. He received his initial audit training at PricewaterhouseCoopers and was the Manager of Financial Controls at Ally Bank prior to joining The Mako Group. As Chief Audit Executive, Shane’s responsibilities include: Developing and overseeing the application The Mako Group audit methodology Performing comprehensive risk assessments identifying vulnerabilities and creating actionable plans to mitigate outstanding risks Performing training with new staff members to maintain high level of service to customers Partnering with companies to improve and test compliance with applicable rules and regulations Mr. O’Donnell has presented and conducted training on topics of interest to the audit community such as: Sarbanes-Oxley Compliance FDICIA Compliance Risk Management Internal Control Implementation Mr. O’Donnell is an active member in the Detroit Chapter of ISACA and is a Certified Public Accountant and Certified Information Systems Auditor.
- Enterprise Risk Management (“ERM”) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. ERM represents a significant evolution beyond previous approaches to risk management in that it: Encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.); Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual “silos”; Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances, and stakeholders; Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks; Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature; Views the effective management of risk as a competitive advantage; and Seeks to embed risk management as a component in all critical decisions throughout the organization (http://www.rims.org/erm/pages/WhatisERM.aspx)
- Is ERM really meant for community banks and at what size does it begin to make sense? Person owned credit unions are specifically exempted from performing ERM activities in NCAU regs.
- http://coso.org/-ERM.htm http://www.rims.org/resources/erm/Pages/default.aspx http://ww.iso.org FFIEC – see included documents http://www.jnj.com http://www.nist.gov
- Cybersecurity Framework – see included documents
- One common theme throughout the literature has to do with the difficulties discussing technical findings with the C Suite. Most authors recommend that risk be discussed in terms of the opportunities to the organization and how it fits with the risk tolerance profile.