Integrated Risk Management
Cameron Jackson, MBA, CISA Senior Director, Market Strategy and Development
Cameron Jackson Riskonnect Responsibilities ● 15+ years of experience across Internal Audit, ● Advisory Services Compliance, and External Audit at Ernst & ● Market influence Young, Precision Castparts and Columbia Sportswear ● Analyst Relations ● Board Experience ● Product innovation ○ GRC Tech Start-up ● Partnerships and Alliances ○ University of Portland Pamplin School ● Voice of the Customer of Business ● Competitive Intelligence ● Integrated Risk Management technology influencer, advocate, advisor and former customer. ABOUT RISKONNECT:
● Founded in 2007 ● 4 worldwide regional offices ● Global presence of 300+ employees ● More than 300+ clients on 6 continents ● Award-winning Integrated Risk Management technology ● Frequently cited as a leading vendor by Gartner, Forrester and GRC 20/20
BEING
#1 Market Share #1 Market Share BEST IN CLASS APM WAN Optimization
#1 Market Share #1 Vendor – REQUIRES A Software License Enterprise Content Optimization Management WEALTH OF #1 Market Share IT and Infrastructure #1 Vendor - Gartner IAM Solutions INFORMATION Management Solutions for SMB AND EXPERTISE. #1 Market Share #1 Market Share GovCon Software SWG Vendor
Market Leading Enterprise #1 Vendor – Gartner and Consumer Business Intelligence Security Vendor and Data Analytics BEST IN CLASS PRODUCTS TO SOLVE ALL THINGS RISK.
Well-developed risk programs do more than mitigate risk; they help maximize company “performance . Advanced programs will: 1) Improve operational effectiveness 2) Strengthen strategic decision-making 3) Enhance brand loyalty Forrester’s Renee Murphy informed
Integrated Risk Management enables informed strategic informeddecisions by tracking, analyzing, connecting and mitigating risks throughout the entire organization, providing you a holistic view of risk management. strategicstrategic PROBLEM: WHY INTEGRATED RISK MANAGEMENT?
1994 AS:NZS 4360 1999 2000 Salesforce Y2K 2001 2008 founded Financial Crisis, Enron 2010 Lehman Brothers Executive 2002 BP Spill 2013 Scandal Sarbanes Target 2014 Yahoo Oxley Breach 2017 Breach Enacted Volkswagen $4.3B Fine 2007 First iPhone released 2009 2017 ISO 30001 Equi-hack Enterprise Risk Management 2017 2017 Integrated Risk 2016 COSO ERM Brexit Management Update Variety of Issues, Cases, Investigations & Incidents to Manage
WHY is INTEGRATED RISK MANAGEMENT Important
Issue & Exposures Enterprise Incident & Risk Management Insurance Alloca�ons Management Internal Audit Property & Assets Compliance & Regulatory Management One Source Vendor / of the Truth Claims 3rd Party Risk @ Management The Speed of Correc�ve Risk Ac�ons
Policy Management Business Con�nuity Quality Root Management Governance Field Audits & Cause And & Safety Analysis Ethics Inspec�ons
Aligning Risk to Strategy and Performance
ARAMARK A CASE STUDY
Aramark provides dining, facilities, and uniform services to clients LOCATION Philadelphia, PA in education, healthcare, business, corrections, and leisure. COMPANY SIZE 265,500 employees, $14B Its core market is North America (U.S. and Canada) with a presence in 19 other countries. INDUSTRY Managed Services
THE THE THE CHALLENGES SOLUTIONS RESULTS
Unable to see Total Cost RMIS (Risk Management Ability to automate Claims of Risks across enterprise Information Systems) and Risk processes
Extremely complex Claims Admin Overall view of enterprise- organizational hierarchy wide risk aiding forward- ERM looking decisions Needed line of sight into global business units and EH&S Compliant with SOX the impacts they had on regulation (Sarbanes-Oxley) the corporate objectives Compliance Improve corporate Highly manual process Internal Controls/SOX visibility over current silo approach 20,500+ USERS Inability to drive accountability VODAFONE A CASE STUDY
Vodafone Group, plc. is a British multinational telecommunications company, with headquarters in London. LOCATION London, UK Vodafone owns and operates networks in 26 countries and has partner networks in over 50 COMPANY SIZE 20,000, $47.63B additional countries. Its Vodafone Global Enterprise division provides telecommunications and IT services to corporate clients in 150 countries. INDUSTRY Telecommunications
FIRST ACTIVE 2016 THE THE THE CHALLENGES SOLUTIONS RESULTS
Required ability for clear Ability to fully automate risk Line of Sight on Priority Compliance processes across global Risks to Group territories. ERM Manual Risk Assessment Core ability to generate ‘Line process Privacy Solution of Sight’ board level report for key risks to Group Reduce business Compliance (GDPR) exposure and ability to Fully reportable assurance prove assurance testing Internal Audit (2018) result testing across all lines of defence Risk Consolidation and Aggregation to provide 450+ LICENSES insight into frequent business risks
Technology Improves Processes But Doesn’t Lessen Risk Concerns
● GRC platforms have been on the market for nearly 15 years ● While 29% of business decision makers report that they have implemented a GRC platform ● 30% plan to implement within the next 12 months WHAT ARE YOUR KEY BUSINESS CHALLENGES TO MANAGE RISK?
How is our risk landscape evolving?
Do we have the right technology and personnel?
How effective is the company in managing its top risks?
What facilities are at most risk for operational disruption and loss?
Do we know who our 3rd parties outsource to (e.g. 4th parties, 5th parties)?
What is the cost of compliance? 3 Lines of Defense
The Three Lines of Defense Model The Right Data Architecture for 360° Contextual Intelligence Strategic Objectives Department Process
Strategic Entity Risks Operational Process Organization Financial Asset
Regulatory Preventive Contractual Obligations Controls Detective Values Corrective
Code of Complaint Conduct Policies & Procedures Policies Issues Event Training & Awareness Investigation
Owner Subject Matter Expert Roles Employee Action Items
Analyzed to understand relationships Integrated and mapped together to provide context Distributed & Disconnected Data Points PUSHING 2.5 2, 5 QUINTILLION0 0, 0 0 0, 0 0 0, 0 0 0, 0 0 0, 0 0 0 BYTES EVERY DAY. TIMER
*Source: Brian Solis & JESS3 Prism 5.0 A SHIFT HAPPENED
NOW, TIMER EVERYONE 24 IS A HOURS JOURNALIST A DAY. MANAGED IN SILOS
CARD SIGNUP LACK OF SCANDAL AWARENESS TIMER
POOR ENVIRONMENTAL RESPONSE DISASTER TIMES
PATHOGEN OUTBREAK Exercise: Practice what you Breach Background
You are the executive in a large internet company:
– Chief Executive Officer (CEO)
– Chief Operating Officer (COO)
– Chief Financial Officer (CFO)
– Chief Information Officer (CIO)
– Chief Marketing Officer (CMO)
– Chief Human Resources Officer (CHRO)
– General Counsel
Objectives
● Understand the strategic level and performance impact that a cyber attack can have on a major corporation
● Understand the interconnected roles and responsibilities of the C-Suite during a cyber incident as well as their respective perspectives
● Recognize the importance of identifying and managing cybersecurity risks across the organization, including the integrated impact across all risk types
● Gain insight into how risk leaders can best navigate a cybersecurity incident as part of an enterprise-wide risk response plan Ground Rules
● Don’t fight the scenario - it’s fictional and for training purposes only
● You are not a security professional for the sake of this scenarios!
● Determine your strategy, audiences, and messaging for each stage of the crisis, but be aware you will never have as much information as you would like to make a decision (that’s how it is in the real world!)
● Chatham House rules – nothing you say here will be attributed to you or your organization Background
● You are an executive in a large internet company with over 1 billion active users and a current acquisition target of a Fortune 100 technology company to expand its mobile offerings
● Late this evening, your CISO informs the Executive Leadership Team that authentic personal identifying data (PII) and customer credentials have been discovered on Pastebin; no attack vector or malware has been detected at this time
● Several internal databases are currently experiencing issues and go offline
● The Executive Leadership Team has tasked IT and Security to gather more information, begin to remediate as possible, and provide routine updates Discussion: Setting Expectations
● Who should be in charge of the response effort?
● What is your role’s primary concern at this point?
● What actions, if any, would your role take right now?
● What is the Executive Committee’s primary concern at this point?
● Should the Board be notified of these developments at this time?
Move: Initial Investigation
● Initial indications from the Security team confirm that a number of customer accounts and their data has been compromised
○ Investigation into the exact scope and scale is still underway
● Employees across the enterprise are reporting ransomware on their company issued mobile devices
● A hacker group online claims to have sensitive executive emails that, including leaked information related to the potential acquisition and other embarrassing communications
Discussion: ELT Committee Decision
● What is your role’s primary concern at this point? Has it changed given any of these new developments?
● What competing business interests are in consideration at this point? How will you decide which interests take precedent?
● Should the Board be notified of these developments at this time?
● What are the primary concerns you anticipate from the Board?
Move: Escalation
● Law enforcement reaches out regarding the incident and submits a lists of questions
● Security sends its first report and the scale of the breach is confirmed to be significant, compromising millions of accounts and significantly impacting employee internal communications and business continuity
● An outside Incident Response firm has been contacted to deal with remediation efforts
● Reports indicate employees are conducting business on personal email due to issues with company devices
Discussion: Liability and Business Impact
● What are the Executive Committee’s overall top priorities of concerns to protect the company given the widespread impact of the breach?
● What are the potential business risks of bringing all systems back online?
● What is the current liability exposure of the company at this point? Move: Fallout
● Your CEO calls to report the breaches to the potential acquiring company, two days before the merger is officially announced
● Your CMO works with public relations and publicly announces the existence of the breach, immediately leading to significant and persistent press coverage, including rapid and uncontrolled social media impressions
○ New reports from key sources indicate your company knew about the breach for a substantial amount of time before disclosing it
○ Leaks from internal sources also indicate the ELT knew about the breaches during merger negotiations, representing there had not been any breaches in its most recent SEC filing Discussion:
● Now that the breach is public, what is your communications and PR strategy?
● What will your strategy be given the current state of merger negotiations with the Fortune 100 tech company? What stakeholders need to be involved in developing that strategy?
● How will your role work together with other internal and external stakeholders? What challenges or pitfalls do you anticipate? Final Discussion + Group Insight
● What are your top three takeaways from the role of the C-suite in a cyber crisis?
● What tools and capabilities would help the C-suite operate and respond during a crisis of this nature?
● What insights did you acquire relative to the interplay between C-Suite?
● Based on today’s discussion, what recommendations would you make to your own organization about how it prepares for and responds to a cyber crisis? Epilogue
● Billions of global customer accounts and data were ultimately compromised in the attack
● Due to the security incident and subsequent fallout the acquiring company cited material breach, threatened litigation, and reduced its offer by $350 million
● The SEC announced it will begin an investigation into your company and whether the data breaches should have been reported sooner
● Your company will bear sole responsibility for any shareholder lawsuits and SEC investigations
● Should the deal still go through, remnant costs arising from the breach still exist; those and future liabilities will be split between your company and the acquiring company Takeaways
● Cyber risk is an influencer to traditional enterprise risk categories
● Pinpoint Causal risk (poor preventative controls) versus outcome risk (reputational damage)
● Risk has roots that run deep, without integrated risk management, understanding, measuring and triaging complex risk events in a timely manner is impossible
● Enterprise level risk knows no boundaries
● IT Risk is a Business Issue, avoid over reliance on CIO’s and CISO’s
● Well orchestrated response mechanisms is a competitive advantage
Brand resilience is the new strategic initiative for risk professionals. Protecting hard-earned corporate reputations takes on greater importance as companies shift strategic priorities to win, serve, and retain customers. When a crisis strikes — whether the result of executive malfeasance, a product safety recall, a security breach, or another violation of a company's brand values — the results can be disastrous. Given that, risk professionals can no longer overlook the growing value and vulnerability of corporate reputations. 87% of the S&P 500 net worth is tied to intangible assets ($17.5t).
Forrester’s Renee Murphy GRC Vision 2017 – 2022: “ Customer Demands Escalate as Regulators Falter Questions?
Cameron Jackson [email protected] https://www.linkedin.com/in/cameronjackson/