The webinar covers:
• Centralized operation models (shared services)
• The benefits case
• Options for managing risk, control and compliance in centralized operations
Presenter:
This session was presented by Steve Tremblay, Senior ITSM Consultant and Trainer at ExcelsaTech, and a PECB Certified Trainer.
Link of the recorded session published on YouTube: https://youtu.be/LaLWI_ULjjU
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
Centralized operations – Risk, Control, and Compliance
1. ISO 31000 – Centralized Operations
– Risk, Control, and Compliance
Steve Tremblay, Senior ITSM Consultant/Trainer
B.Sc., PMP, ITIL Master, DPSM, CGEIP, COBIT, Kepner-Tregoe,
ISO/IEC 20000 Consultant Manager, ISO/IEC 27001, ISO/IEC 27002 & RESILIA
March 07, 2016
2. Steve Tremblay
Consultant and Trainer
Steve Tremblay is executive ITSM consultant and trainer at ExcelsaTech, and a PECB
Certified trainer.
613-720-9646 http://www.limkedin .com/in/stevetremblay
www.exelsatech.com
stevetremblay@excelsatech.com http://twitter.com/blog/excelsatech
3. Agenda
Brief overview of the ISO 31000 Standard content
What is Risk Management?
Centralized operation models (shared services)
The benefits case
Options for managing risks, controls, and compliance
in centralized operations
Conclusion
3
8. How can we deal with Risks?
The Classic Four: Avoid, Reduce, Transfer or Retain
8
Reduce
TransferRetain
Avoid
Probability
Impact
No – Minor – Medium – Serious - Extreme
Very High
High
Medium
Low
Very Low
Source: (DeLoach, 2003)
10. ISO 31000 – Risk Management –
Principles and guidelines
Clause 1 – Scope (of the standard)
Clause 2 – Terms and definitions (related to risk
management)
Clause 3 – Principles
Clause 4 – Framework
Clause 5 – Process
Annex A – Attributes of enhanced risk management
10
11. ISO 31000 – Clause 4
(The Framework)
11
Mandate and commitment
Design of framework for managing
risk
Implementing risk
management
Continual improvement of
the framework
Monitoring and review of the
framework
13. Risk Management
Coordinated activities to direct and control an
organization with regard to risk
(as defined in ISO 31000)
“Risk is defined as the probability of an event and its
consequences.”
“Risk management is the practice of using processes, methods
and tools for managing these risks.”
13
14. ISO 31000 – Clause 5
(The Process)
14
Risk Assessment
Establishing the context
Risk identification
Risk analysis
Risk evaluation
Risk treatment
Communication
and
consultation
Monitoring and
review
16. Centralized operations – Risk,
Control, and Compliance
In these times of continued global economic
uncertainty, cost reduction and effective risk
management remain key imperatives.
Centralized operations become an obvious and
tempting option but it must be done properly
to ensure maintaining proper risk
management, control and compliance.
16
17. Today’s challenges for
organizations
Organizations are required to manage a
multitude of challenges, such as:
• Slow growth in markets
• Challenges in realizing the full growth potential in
emerging markets and managing the risks of
operating in these markets
• Commodity price volatility
• Opportunities and threats of new technologies, the
digital age, the cloud model, etc
• The ever-changing and increasing burden of
regulatory compliance
17
18. Organizations’ common response
One now almost standard response has been the use of
new, more centralized operating models in the shape
of shared services, offshoring (to areas such as India,
Eastern Europe and South America), and co-sourcing
with and outsourcing to third-party providers.
This need to centralize and reduce the cost of back-
office processes and transactions is a common
standard expectation nowadays.
Historically, Risk, Control and Compliance functions
have been less willing to embrace these new, more
centralized operating models.
18
19. The trend in leading
organizations
They are challenging the status quo of their
risk, control, and compliance operating
models.
They are looking at ways in which they too
can contribute to cost reduction while
enhancing risk management, control, and
compliance practices.
19
22. The Benefits
1. Cost to serve
Minimizing the time and resources devoted to risk, controlling
and compliance activities to reduce back-office costs and
maximizing those devoted to front-office and market-facing
activities.
2. Risk management and compliance
The effective management of risks and compliance needs
(risks and compliance needs understood, controls in place,
risks and compliance monitored) — as defined within an
agreed risk appetite.
3. Scalability
The ability to integrate acquisitions and manage divestments
swiftly and cost-effectively through the rapid deployment of a
common risk, controls and compliance framework with
monitoring capabilities.
22
23. The Benefits
4. Agility
The ability to flex risk and controlling activities and tolerances
set as the inherent risks faced by organizational change. This
would take into account new risks, as well as the changing
profile of existing/known risks.
5. Transparency
Provision of management information related to risk, controls
and compliance that enables decision making through clarity
of risk gaps to be addressed, and controls and compliance
breaches that require remediation.
23
25. Options for this centralized
operation model
Establishing the right centralized operating
model for risk, control and compliance
capabilities starts with defining:
a)what are the activities underpinning these
capabilities; and
b)where within an organization should they reside.
25
26. Centralized operating model for
risks, controls, and compliance
26
Strategic
Operational
Financial
Compliance
Assess
Improve
Monitor
RISKS Approach Risks, Controls, and Compliance coverage Oversight
Operations
and
business
units
------
Dev., IT,
Fin/Acct.,
HR, Legal,
etc.
Executive
management
Board
Audit
Committee
Risk
Committee
Management
assurance
functions
------
Internal
Controls,
Compliance,
Risk
Independent
assurance
functions
------
Internal
audit,
External
audit
1st
line of
defense
2nd
line of
defense
3rd
line of
defense
Ownership
27. Suggested sources for more details:
ISO 31000: Principles and Guidelines on Implementation
ISO 31010: Risk Management – Risk Assessment Techniques
ISO 73: Risk Management – Vocabulary
Conclusion
If you don't actively attack risks, they will
actively attack you!!
28. Dealing effectively with Risks
Every organization should consider what types of risk assessments
are relevant to its objectives. The scope of risk assessment that
management chooses to perform depends upon priorities and
objectives.
Risk must be managed at the enterprise level in an integrated way.
Risk Management should be integrated into the business process in
a way that provides timely and relevant information to
management.
For risk assessment to be a continuous process, it must be owned
by the business and be embedded within the business cycle, starting
with strategic planning, carrying through to business process and
execution, and ending in evaluation.
Risk treatments must be identified and implement as required.
Risk can then be managed as part of day-to-day decision making, in
a manner consistent with the organization’s risk appetite and
tolerance.
28
30. PECB offering on ISO 31000
30
Risk Management plays a vital role in an organization’s performance. Companies increasingly
focus on identifying risks and managing them before they affect their business.
PECB offer an inclusive range of ISO 31000 Risk Management training courses, which can be
found below:
32. Our company
Excelsa Technologies Consulting Inc. is a trusted
independent advisor, helping organizations maximize
efficiencies and increase value to their IT services.
We specialize in the delivery of Information Technology
Service Management (ITSM) and Information Security
Management (ISM) consulting and training services, using
best practices such as the Information Technology
Infrastructure Library (ITIL®
), TIPA®
, TOGAF®
, COBIT®
, and
standards such as ISO/IEC 20000, 27001, 38500, ISO 31000
and others.
At Excelsa Technologies Consulting Inc., our team includes a
network of the most accredited consultants and trainers in
the IT industry.
32
ITIL®
is a registered trade mark of AXELOS Limited.