Understanding IT Risk Management

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello everyone welcome to our webinar my name is monica mcmahon super excited to be here with you today to talk all about risk and risk assessments risk management kai wong is a partner at deloitte based out of toronto and he is a total expert on risk management risk assessments for the it world uh maybe before we get started you can give us a little introduction of yourselves kai sure thank you and uh thanks for thanks for having me on this webcast uh that's right i'm a risk advisory partner with deloitte and uh i've been at this for over 25 years practicing primarily in the technology media and telecommunications space and that includes five years in silicon valley i also spent some time as an enterprise risk leader for a public company and you know today i'm based in toronto and i help high growth companies in the mid market across all industries with various aspects of risk management so my practice would perform all kinds of risk assessments including enterprise risk assessments it risk assessments those that are required for iso cyber you know stock reporting all of that so you have done the small company the big company and everything in between so it sounds like you'll be able to walk us through this very well today so clearly based on that there are some people who are going confusion unknown people who don't know what it is um and a lot of the companies that we work with at checkbook logic they start their stock tube process or their iso 27001 process or there's some government regulation and it goes you need a risk assessment so just for those people and for all of us who aren't sure can you talk us through what a risk assessment is high level yeah i mean i think simply put a risk assessment is a process for identifying and prioritizing risks so your intention there would be to do something to address those risks in accordance with its priorities that's why you would do it but i think first of all before you kind of go too far along in that you need to find what risk is right and i think a lot of times if you kind of think about risk it's got this negative connotation you think about risk in terms of some kind of loss scenario or something bad is going to happen you need to avoid it or you know somehow prepare yourself for it um but that's that's really only part of the answer when when we kind of classically think about risk in the risk profession we're talking about what can get in the way of achieving your business objectives whatever that might be or your overall strategy so like this idea of having a business objective or a goal or strategy is orienting for risk assessment that is what you are actually trying to achieve what can get in the way so it's not just the things that could be lost scenarios and you know you buy insurance or things like that but it's really um it's really much broader than that so i think you're correct that risk assessment is sometimes um something that you do in a formal sense at least when you're asked to do it the business partner comes along and says hey you know do you have an iso certification do you have a sock report and you know that kind of brings in a risk assessment process but those are those are really just an industry standard way of thinking about risk assessment um and and you know only one and it's kind of a really just a compliance way of thinking about it there's kind of a broader way of thinking about risk assessment right and so um what you're saying is that risk assessment goes far beyond the hurricane or the the cyber attack sometimes it's not achieving objectives or things that are going to not be huge catastrophes but still will get in the way of your objectives yeah i mean it's interesting like sometimes you think about risking you think about controls right especially in a compliance context because you're thinking well i gotta control it and then let's audit those controls but not everything in risk is like that i mean like the pandemic for example we did a lot of risk assessments before the pandemic business continuity not surprisingly would be on a lot of companies top ten sometimes it was the top one um hardly anybody at the time that i was doing them thought pandemic would top the list of the reasons why that would it just wasn't you know it wasn't the time when people had a top of mind right uh if you did it again today so it would be and we have um people are not only um you know making something like business continuity at the top of the list but um you know they're kind of splitting it out and going well what are the there's different types right and we think we've been through the pandemic and you know we think we've got you know however we've gotten through that um but what about other things that could cause continuity so those are those are not things that you control right you're not going to stop the pandemic but you can you can be more prepared for it so if there's one thing we've learned in the last couple of years it's that we're probably not gonna us as individuals are not gonna stop a pandemic um so a lot of you know you've talked about big companies and this formal risk process but what about small companies what about these companies who are so focused on survival that they might not be putting days aside to do a formal risk assessment process should they put the effort in how what does it look like for them yeah i mean it uh so again thinking about risk assessment more broadly it's my perspective would be that every successful company already manages risk uh and therefore assesses risk you can't manage until you kind of assessed it right um that's how you become a successful company and i think any entrepreneur or business leader kind of knows that namely um the question really is more uh are you are you at a point where you're going to apply a more structured and disciplined approach to risk management right not whether you're doing it at all because you most definitely are so that's where you kind of bring in the frameworks and you bring in kind of the standard methods um also when you're kind of doing it uh as an activity that involves a broader team you're trying to kind of level set across a number of stakeholders then you might have benefits and having a more consistent formal method of doing a risk assessment so why why do this well um we already talked about compliance being a driver so if someone asks you for one or ask you for something that involves a risk assessment as a starting point then then you know you kind of your answer there um some companies are proactive about it though maybe you know having a certification having a stock report something like that may give you a competitive advantage right even if no one's asking you for today can be a differentiator so i've seen that as being a driver but still that's kind of you know got that compliance angle to it i think if you kind of put compliance aside any business eventually gets to a point where there's too many stakeholders the business is getting too complex the associated risks are getting too complex and dynamic and there's too many people involved in kind of effective risk management and so it's kind of you're at that inflection point where um you've got to do it in a more structured and disciplined way and and maybe you need to make some investments to do it so i'll give you an example is that i was working with a private company and they were not regulated uh they weren't public and they had a full robust drn process and program reporting the family office and and so i asked the cfo you know why you have this because you know you don't always see this and you don't seem like you're the type of organization that's required to do it uh and he said well you know looking back at the financial crisis around 2008-2009 the combination of that event along with some unexpected litigation along with some ransomware cyber attacks nearly crippled the business and so it was kind of at that inflection point that they kind of said well we've got to stand something up and kind of make sure that we're disciplined about risk and always put it on the agenda for management and family office so you know everybody has their own drivers yeah for sure i like this concept that a risk assessment is about taking whatever is sitting in the founder's head whatever is keeping them up at night and putting it into a more formal process and spreading it across the company so that everyone's involved and instead of you know you you never do a risk assessment and then suddenly one day you have to do it for sock too i think that makes a lot of sense so we'll get i'm going to ask you a bit more in a minute about how to do a risk assessment but just to continue on this train of what is it and what does it look like can you talk to us um a bit about the life cycle of um a risk assessment so we have that startup who's just in the founder's head or in a few people's heads um and and what happens next and how does this change as a company evolves and i'm just gonna slide on this for you as well i have a slide on this actually that might help frame things up but um and it's kind of a maturity model i'm although with any maturity model it's not necessarily true that you're trying to go all the way to the right hand side of it it's kind of a one size fits one in terms of what your needs really are and where you want to get to so you know at least what i've seen is that if you're kind of a startup scale-up you know your business that doesn't have a specific need for formal risk management then your risk assessment process is very likely informal and undocumented it's kind of on this ad hoc side of things right clearly you're doing it uh every business own owner entrepreneur knows that you need to be mindful of risks and um but sometimes you know it's kind of up to your heroics of yourself or your management team maybe even individually not as a team together of uh kind of figuring out what your risks are and making sure that you're doing the right things um so you have some ad hoc areas that are being addressed maybe involves very limited or a few stakeholders it's no defined method it's you know you're just running your business uh and and oftentimes it doesn't use enabling technology um maybe one of the shifts that we're seeing now though is that there's more more often we're seeing the earlier use of risk management technology for things like risk assessment because now you've got technology that uh like like tugboat offers or um you know you have more capabilities more accessible you know the right price point then you know you're kind of seeing that earlier on in the evolution is one thing that we've been seeing um you know the second stage is kind of like what we were talking about with you know let's say suddenly you've been asked for some compliance reason to have a risk assessment process so you're you're now embarking on that there's probably a specific reason why you're doing it uh and so you are now implementing a policy you know you've got a formal defined repeatable process but it's usually narrowly scoped right some specific set of criteria you're trying to meet but it is performed consistently and kind of more formal um and you're involving more stakeholders if you're doing it based on any of the frameworks then you know this is kind of the way that you do it uh is to get some alignment on on risks uh and you probably you know do you have some enabling technology or looking into it at this point um because it's not the type of activity you can do outside of your desk right it's it's something that you know someone's got to organize and then if you kind of look at uh maybe a more optimized organization you know they're probably looking at risk assessment not just for compliance purposes they're probably looking at it at different levels right sure they may have some compliance drivers but there are probably other reasons why they're doing it maybe at an enterprise level at an overall strategy level right uh and and so you you've got multiple drivers you probably have multiple variables that you're looking at because sometimes your success between start out do something basic but there's kind of layers of complexity that you kind of add on to give you more insight and foresight so you may have other data sources you might have risk indicators that you've defined you're kind of monitoring those maybe your automation is nailing some of that and i think the last thing here is this you're kind of integrating risk management back into the business you know like when you're starting at the ad hoc point risk management is just management and you're kind of just doing it as part of what you do to manage your business and then when you end up being optimized it's the same thing you're trying to reintegrate risk management so that it's not something separate and compartmentalized and done separate from management you want it integrated um and technology can help you do that so yeah okay that's super interesting i think um hopefully all of our companies are going to be able to go through at least part of this journey everyone who's here today so um can you maybe walk us through now that we understand this process how should we as companies um and many people on here are on that sort of middle stage of trying to trying to make it a little bit more of a formal process for now how should they think about doing it and starting out on that process yeah so um if you and i think there's another slide here where i just put maybe the most standard way of thinking about a risk assessment process this is actually out of coso which is um uh coso is the uh underlying framework it's kind of the mother all frameworks that define risk management internal controls so you may have other frameworks they're usually derivative at least from fundamentals perspective from uh the processes and principles that are defined in kosovo so what kosovo says about risk assessment are kind of these green boxes right you go through this process you're identifying your risks you develop assessment criteria then you gotta go through some kind of assessment process and then there's risk interactions to think about not just thinking about risks on their own and and then you go through prioritization so that you can respond effectively to the risk so none of that is rocket science it makes perfect sense very logical so and that's why it's in the standard is uh you know this is how you should at a high level think about risk assessment and how most organizations would think about it now where things get a little bit maybe more complex is in in the weeds of what you're specifically doing so identify risk for example a lot of times what's meant here is to kind of cast the white down right what are all the risks you should consider and maybe you're you know if we think about it risk assessment maybe you're doing this for nist right so you've got the risk of the domains you've got like identify protect detect respond recover maybe it's iso and you're kind of trying to define what your information security management system is uh sock 2 you'd be looking at security confidentiality ability availability privacy you know processing integrity and so forth um or cobit like there's an endless amount of frameworks that can help you be more comprehensive in identifying risks and those are just the frameworks it's also what you see so you gotta kind of take the frameworks to inspire you but then think about your what your real risks are and if you do that real well you'll end up with too many risks uh and we've we've certainly gone through a lot of exercises with some companies where they're being very broad about it you end up with hundreds of risks mapped out and where do you take this next right that's that's too much to um to understand and to do something about so that's where the risk assessment criteria start to come in because not all risks are equal so you need some kind of process for thinking about well if i take any of these risks or bucket of these risks what's the impact and likely that's probably the most basic way to think about criteria you know each risk will have an impact on your business whether it's financial reputational uh operational otherwise uh and each one has a probability if you're thinking about it in terms of risk events right if you want to make it even more complicated then another way to think about it would be to later on well what is the risk inherently versus after thinking about it after considering all the mitigation that you already try to do all your controls so hopefully it reduces the likelihood or reduces the impact right because you've tried to manage it but then you can kind of you know think about um that analysis of how far you're taking your mitigation right so to jump in with an example would be like what is the risk if someone hacks your unencrypted database but then your mitigation is encrypted so what's the risk afterwards kind of thing okay yeah so then what's your residual risk after that control is hopefully a lot less right so your vulnerability for example would be a lot less but then you can still think about well if the inherent risk was this high are we still doing enough should we do we need more layers to that right so there's some analysis there to kind of think about it um and then there's other criteria too we'll get into too much but like speed of onset sometimes risks can come at you really quickly right so in other factors then the assessment of risk is really where the big filter comes in because you've got all these risks you've got to think about well if they're all relevant and someone ought to do something about each of them right and that's just running your business and so part of this is trying to empower people to be able to manage all those risks but then if you're thinking about senior management or family office or something like that then there's probably a smaller set of the risks that you want to bring forward and go well well hey you know this is these are the risks that deserve management attention you should think carefully about these and and so you you know you don't want to bring all risk into the border so there's got to be a way that you kind of filter things and then once you kind of you know work things out the reason that you assess risk interactions is that sometimes even if you've considered individually something not to be too interesting whether it's impact or likelihood or otherwise if you aggregate a bunch of them they might become interesting they might become severe so you got to think about the risk dependencies and take another look at things even after you've kind of done your initial assessment and that all feeds into your prioritization and what you're seeing on the bottom uh right there is a risk heat map that is probably the most common way that uh people will try to conceptualize their top wrists is they'll put it on a grid and they'll say well look the ones on the up and to the right the reason that's red is because they're both high and likelihood and high in impact right and then the ones that are in the lower or less so and and what you're seeing on the bottom left here is that what like what i was saying before is you can do risk assessments at different levels of the organization think about it enterprise wide and go whether the risk to my overall strategy and then you can also look at you know different layers and go well i'm specifically interested in it and specifically interested in you know financial risk or whatever it may be right there you can do risk assessment in different layers and focus on different domains but then ultimately there's also kind of this overall what's your risk to your overall business strategy right okay so a few questions from that you mentioned that you need to empower the organization because you can't have just one person going out there and trying to mitigate all these risks on their own so who who's typically involved in that initial risk assessment conversation making that list of of risks yeah so that is a very interesting question because um you know i've i've been doing this long enough that i've seen every triangle rectangle way to think about what a risk management program looks like in an organization but what's always kind of stood out for me is that i know someone that told me this at one point is that it's the flow of information that really is the linchpin in all of this you can have all this structure and all these programs and all these people doing things to try and assess and mitigate risk but if the information doesn't flow then the whole thing breaks down if you have someone who's at the front line of risk i mean they're dealing with a customer every day or they're looking after their iot systems making sure you know it's up and running and if something happens and that information doesn't flow up to management or communications are made to third parties and it breaks down if um you know you have uh an intention at the border management level and and you need certain things to have a particular focus like there's a mandate that you want to kind of push through the organization but the communication doesn't happen where it needs to then that can be a failure point there's so many failure points have to do with communication and it's communication between stakeholders so who should be involved in state in risk assessment well ultimately everybody is a risk manager it's a you know another way of thinking about enterprise risk management erm everybody's a risk manager but i'd say that that's more on the more of the optimism my side of that you know maturity model that we were looking at right and obviously if you have technology enablement then that kind of helps you in connecting everybody to kind of um in a dynamic way in order to be involved um at the in the appropriate way to your role right in this exercise risk management as a discrete exercise who should do risk assessment uh depends on the purpose if you're trying to do it for sock 2 or iso then you probably have someone who's kind of quarterbacking that and trying to make sure that that that discrete activity at that point in time gets done involving the right groups of people that are responsible for the specific criteria you're trying to meet right okay and is it ever a case where maybe in a little bit of a larger organization where these uh leaders will have conversations in their individual teams and then come to that risk assessment meeting with some ideas from other other other inputs in the organization yeah i think that's a great point because uh so where does all this information come from right i mean we're looking at a process here well traditionally it would have come from surveys right interviews workshops you know those are kind of common ways of of getting through this process and so you know what we've often done when we do a let's say a broader scope risk assessment is we'll identify a broad stakeholder group right across the organization and they may do more to kind of ask for input from their departments and groups as well right but then they kind of surface information and maybe the most effective way to do that is through some enabling technology like like survey right so this comes up and then it gives you information to then you know go to the executives and go well you know i've heard this from this group of people that we surveyed and the feeling is that the top risks are in these areas you're going to give them some frameworks and background in order to inform how they tell us this but this is what they've said what do you think right so the interviews would kind of help you flesh that out a bit more maybe there's agreement maybe there's not maybe there's things you should be talking about um and then you and then you end up taking that information into workshops right so you go okay so we've we've kind of figured out where the consistencies are and where some of the um contrasts are and in use the executives probably have their own ideas of things that they want to have in the workshop as well and and so that's a common way for this sort of thing to be done let's say in a at a management level yeah okay now for the impossible question and i know the answer is it depends but you mentioned that you don't want to have too many risks so is there a ballpark of sort of how many you might be aiming for depending on size of organization or what way too much what's not enough so there's probably many ways of thinking about so let's say that you're doing a discrete exercise let's say you're trying to meet um a compliance standard right you're trying to get through a stop to audit for example well you've got all these criteria so one exercise to think about is that well every criteria has a risk to achieving that criteria so probably a useful exercise go through and think about that and then you can from there think about what your mitigation and controls are which then leads to the audible universe right yeah so that's a very practical way to think about it because you're trying to get audit done um if you're trying to go into a workshop let's say with an executive team uh unless you're going to make it an off-site for a week you know let's say it's a half day or a day session or you know a few hours of executive time then you're probably not going to take in more than a dozen risks talk about and so you need that filtering process leading up to it they kind of think well what's going to be the most valuable what are the most likely candidates for top risk so that that's our starting point and then as we kind of get into it we can start thinking about um what the what the relative differences are in priority between those instead of trying to filter through everything that we we got from the earlier identification stage so it depends on the mechanism that you're using it depends on the reason that you're doing it probably drives the number of risks that you can that you can deal with okay and then once you've got that list of risks who is involved who typically um defines the inherent risk the priorities is that sit with management does that sit with whoever is ultimately the risk owner uh it it is something that you may want to get views on at different levels so i'll give you an example is um you know sometimes what we are asked to do is um we'll do risk assessments at the executive management level uh and board and we'll also do it at a lower level so involving you know senior directors or you know something like that uh and one of the interesting outcomes of that sometimes is that they don't agree i had a client where um there were probably general alignment on most things you'll always have some outliers but let's say on average right there was a clear difference a dramatic difference on a couple of top risks between what management thought and what the you know the groups under them thought and uh and it was an interesting insight because well why is there this misalignment right are we sure that you know everybody's aligned to do the right things and and you know what we believe is is is a risk and what's the appropriation because if you have that misalignment then maybe that's not that's not the case um but sometimes there is um there is benefit in kind of thinking about different ways of doing the risk assessment to drive different kinds of insight yeah yeah because if these are our risks that are not necessarily catastrophic or technical but more risks to your business objectives your strategic objectives then misalignment on what the priorities or those risks are could mean misalignment for the overall company priorities which is problematic and that kind of goes back to you know at what point should you do a risk assessment so or should you do a risk assessment well i mean if you didn't go through an exercise like this then you might not know that this was happening it's only when you kind of take that data point and you do the exercise that you see the difference and now you can do something about it right so i think that's where the insight is okay okay so now we've got all these um priorities you mentioned you know you don't want more than a dozen for management to work on maybe they do their off-site and discuss those risks and how they might be able to mitigate them what does that ongoing management of those risks look like once you've you know we talk a lot about risk assessment i would say in the world in general and especially in the world we live in which is a lot focus on compliance but once you've done the assessment how do you continually manage it and keep it up to date and uh ensure that you are actually doing something with all this work and not just putting it in a excel sheet somewhere yeah so it goes back to um having an integrated risk management program and and really the stress the last word taking a programmatic approach to risk assessment as opposed to a one-time you know process that you're going through because risk never goes away so you know the if you identify a broad set of risks there's you've gone through an exercise like that there's value there because now you take these risks and you can figure out well if they're relevant someone should be paying attention to who's the owner of this risk right and you know not every risk is going to be owned by the ceo or or you know cfo or whatever uh so it's helpful to kind of go through next time thinking you know we've got risk discipline in the organization we identified risks and we know who's accountable for each one that is done right um and they probably need some enabling process and things and reporting and there's some infrastructure there that probably needs to be built uh to keep that going uh then you you can think about well what is executive management's role in this so that everybody plays a risk management role and we've done something to enable and empower people what does executive management do well they typically are responsible for keeping the program alive right as well as setting the priorities at the highest level because executive management is also responsible for strategy so remember we were talking about how strategy is orienting right your business goals and objectives i mean they set the business goals they set the strategy they set the objectives and so um if you're thinking about what are what are your top risks at any point in time well it's the top risk to achieving their strategy at that point in time and if you change your strategy you change your plans and goals then it's different right so executive management kind of has the steering wheel on that and then if you think about the board or family office or you know those charged with governance well they're responsible for risk oversight of executive management typically right and so there's this sense of what information does executive management need to give to those charged with government so governance so that they can actually act on that and and you know be a bit of a sounding board for what management believes are top risks as part of the overall strategy and planning process so there's there's a role for everybody um you know and when you're kind of an organization that really has good risk culture uh then you know all these pieces kind of fit together with probably enabling process and enabling technology to allow all of this to happen effectively on a day-to-day basis so it's not just you know one time after it's right trying to pass this audit or whatever it may be right so yeah and you get to the point where oh we're changing our strategic objectives and that automatically kind of triggers that new risk assessment or update process it's all combined instead of someone sitting there going maybe we should look at risk yeah risk never sleeps [Music] no but hopefully you will sleep better when you know that you have a risk management process right absolutely um okay so this is all fantastic maybe a little bit overwhelming for some young companies so you worked with lots of small companies so for any anyone who's listening who um is looking at establishing a risk assessment and a risk management process for the very first time what words of advice do you have for them what recommendations do you have for them well i think um you know like a lot of things keep it simple uh you know there's all kinds of there's an endless supply of frameworks to draw from but you don't you know unless you have a specific reason to be doing um a particular variant of it you don't need to follow everything by by the textbooks necessarily because at the end of the day you know risk management is management it's uh you know you're inherently kind of doing it anyways it's just a matter of um can you give it more focus right so you can kind of do a simple risk assessment even as a management meeting where you're going to specifically call out risk um it could you maybe already have a planning process some companies will take planning process and go and specifically we're going to talk about risk right so some things you can do that don't don't really require a whole lot of effort right if you're trying to do it in a more structured way then you know then there can be a reason to to have someone quarterbacking it facilitating it you might need someone to facilitate workshop or things like that enabling technology can help with a lot of that process too right so that you can be more focused on the risk management aspect as opposed to maybe some of the paperwork and manual work um but i think that you know being able to give risk focus and putting it on the agenda of management i mean you're already doing it anyways it's just kind of a twist in terms of focus will end up being valuable in and of itself and then you can kind of build from there and go well do i have other reasons for making it even more structured in the discipline am i growing to a point where this is going to be helpful for us to get on the same page as a management team and you know do have a compliance reason where i i have to do it in a specific way um you know one one thing that you know we did a risk assessment one time with uh the fintech organization and it was kind of interesting because um they had never gone through a process like this before and then all of a sudden you know we were using technology to do anonymous voting so you kind of take these risks and you go each individual person says what they think about the impact what they think about the likelihood it averages it all up and then and then you know you kind of see it real time you know as it's building up on the screen and so we've gone through a good number of the wrists and the ceo pulled me aside and he was like how do you think this is going like it's going pretty good there's a lot of discussion and interaction people are voting and you know there's results on screen uh he said i'm actually very concerned he said when i look at the results so far everything's clustered and what that kind of tells me is that as a management team um we can't make a decision in terms of priority because everything's like all clustered together it's almost like if i gave the team 100 to solve the risk problems that we face they're going to divide it by 10 and then we solve for nothing so it was interesting that kind of stuck with me because um his point was it's not just about the result of the risk assessment it's about you know what we learned about each other and and how we how we work as a team how we make decisions effectively and and you know there's just um you know at the end of the day technology aside all it was was a meeting but it really got people engaged in thinking about risks but also thinking about how they team together so there was a lot of insight that came out of that that one exercise in it it wasn't necessarily that owners are complicated yeah well so do you have any recommendations how do you um help people understand what uh what the rating for within a company is for likelihood and impact and make sure that there is some amount of consistency across the organization obviously if they're all in a room like that one it's not a huge deal because they're all in the same place but when they're not all in the same conversation how do you keep that consistent uh this is actually an interesting challenge so you might think that everybody agrees on what is impactful and what is uh what is uh likely uh maybe there's a clear idea what's likely um but you know the the method that we were looking at before and uh this i think it was the second chevron was talking about develop your criteria where it goes a little bit deeper than that not only do you have to figure out what your criteria are but you have to figure out what it means to you because uh to one person 50 million dollars is a big financial impact someone else 2 million is or 2 000 yeah you'd be surprised how many differences there can be but even there like before you even get to the risk assessment stage let's say you're evaluating individual risks you should agree on what the criteria are and in the context of your business what it means um even likelihood um you might think that's simplistic but uh if you give someone a long enough time horizon everything is likely i think you gotta agree on even that right so we're talking about next year or we're talking about three to five years um so consistency is you know these are healthy discussions though right even as you're going through this process and you're you know maybe you didn't have a reason to have these discussions before but making sure that everybody who's involved in risk assessment um like let's say your management team thinks about risk and the same level of of color risk appetite right we think we think this is risky and that's not risky do we all agree well maybe we don't so that's a good discussion and that that can happen even before you get downstream of thinking about individual risks and assessing them against hopefully what are consistent criteria yeah well and it sounds like some of these are our challenges that get compounded as you grow if you're all sitting in the same room you can have that conversation and then as you grow it becomes a bit more about documenting those processes and then you can have some historical examples within that documentation and so the sooner you start the better you can grow yeah it's it's always going to be a journey right there's no end to the journey because um you know the the challenge that i mean the dragon here is risk and it never goes away it's always there and so you know you need to address it programmatically and as your organization scales the stakes get higher potentially too depends on how you think about that but um you know and so well at a minimum you've got more people involved in in trying to address risk and so there's a there's a need to kind of think about it in a more programmatic way and so you're right like first maybe you're trying to set up a program and you know have the right motivations to do that um but then you're always trying to sharpen that because you don't want it to get dull you want to always have a dynamic risk assessment and risk management program that is adding value to the business keeping you out of danger but also enabling the opportunities that you're pursuing right all of that yeah okay so um we have some questions coming in but i have one last question before we get to those sure we talked about how to do it right but let's talk a little bit about the opposite what are common pitfalls that you come across that you can help our wonderful viewers avoid yeah i am that's interesting i mean it's one of those things where uh you can you can really boil the ocean on it right and so i think you know going back to what i was saying before is uh um if you're doing it at a management or board level you probably want to be able to get things down to uh you know what you can meaningfully analyze right and and what's worth uh taking up to that that level of discussion so you don't you don't necessarily want to boil the ocean on on risk assessment and sometimes if you're thinking about what what should the board and management be concerned with then well they're they may be your top risks uh they may be your emerging risks but there's it's probably a finite set of those and what's interesting about some risks is that a number of you can have all kinds of risks like especially with something like this is continuity right there can be an infinite number of things that can happen to you but it probably impacts you in a finite number of ways like all these things can happen but it takes out your building right you use your imagination to think about what those things might be but uh and so sometimes there there are ways to kind of uh make sure you're you're finding the right level of focus um and then the other thing that i would say is a bit of a pitfall sometimes is um when you start making something uh process driven uh it sometimes has a danger of becoming a ritual so you know the first time you go through risk assessment and mitigation you have all these findings and you fixed all those things you do it again and it's just in the same way with the same scope and the same people and you find less and less and eventually you get to a point where you find nothing at all i had an interesting discussion one time with the vp of operations at a big telco and so we were we were following up we were saying you know um how effective is risk management being right like um separate risk management functioning and at first he said well well look i mean you know periodically people come in they'll look at things from a risk perspective and then we'll get a report and then you know maybe next year something like that will happen again and it keeps happening right we have a process but are you getting value out of that and he said you know i'm not sure say this or not but so then that caught my interest when he said that he said well look i'm a vp of operations nothing works properly that's my job is to keep it working when everything is always falling apart right you know it's a we provide a service very complicated and you know there's always something and and if our risk management processes are just saying that everything's working or it's not you know then there seems to be a mismatch at least right and so you know the struggle was it goes back to this idea of how do you integrate risk management and the next thing he said was interesting too is that no we have a we're a data company we have a data stream what if we could all tap into the data stream collectively and draw out our you know play our different roles and be more integrated like how you know i can see value in that so there's this kind of automation angle to it as well so i just that's always stuck with me as well it's um you don't want things to become so process driven that they're they're kind of just set a baseline and then you know there's value in that because you got to the baseline but for you know dynamic and proactive risk management you probably want to keep it fresh yeah try different things involve different people that's very interesting okay we have quite a few questions coming in um so one of these ones i i liked when we were talking about the likelihood and figuring out exactly what that means within your organization uh this person and i'll read the the verbatim question but they're basically asking do you use external data to quantify that so um would you take data from for example if you're looking at the likelihood of a ransomware attack would you take verizon breach investigative reports and try and get an idea of how other industries or similar companies to yours have been affected yeah so um it depends right so uh different companies have a different take on whether quantification is something that they need to do you know some folks use monte carlo simulation to kind of figure out probabilities and you can do things in a very scientific way um if you need to but um but there's a range right there's also um sometimes a risk assessment isn't necessarily to try and get at more precision you just want to kind of get at um get a sense for risk maybe not so precise but then you can on the back of that do a deeper analysis in order to get more precise quantified answers right to risk so you know in a lot of industries like let's say outside of financial services quantification sometimes doesn't have as specific a or predefined method and so you know i'd say that's always been a bit of a challenge is uh when do you quantify how do you quantify and also can you do this all the time because it also takes a lot of work in order to quantify all your risks and there are some risks that are inherently more difficult to quantify like if you think about conduct risk right maybe you know how do you quantify that so yeah yeah it depends on the size of the organization if you have people who are fully dedicated to this or if they're all doing this as one of the few hats they wear how much time can they spend going down those rabbit holes but if you're in financial services and you know sometimes there are some very specific quantifications that you want to do around risk like an insurance business for example right right okay um a question about where this lives within the organization so technology risk is it better managed from within it or another part of the organization so if does the larger organization have resources to focus on that risk more so than just throwing another hat at it to where oh this is a this is a classic question may not even be specific to risk assessment risk management but um you know it is interesting from an overall risk management perspective because there's in an organization there are several functions that play supportive roles i.t human resources legal finance right um i mean you may not be making the widgets or whatever but you need these fun they support everybody right and so it's clear they play a role in a very key role in risk assessment risk management and management overall um so can you kind of do it can you kind of think about them individually versus as connected parts to what they support and i think part of the answer is if you're if you're looking at risk from a business perspective uh then you kind of have to think more broadly like the stakeholder group has to be more broad than just id because it supports the business in in in a lot of different ways right not just from a process perspective but you know if you're in a technology company for example i mean it's very integrated with your overall business so it's sometimes it's hard to separate it and go well i'm only going to do risk assessment with i.t people for the it you know that's a very specific scope like if you're doing that then that that probably is for a very specific purpose um and if you're doing uh risk management or risk assessment more broadly for the achievement overall business goals it probably needs to be broader than that and sometimes that means that it's more effective being driven by a stakeholder outside of it it depends on the organization okay perfect there's never a clear black and white answer on these things right um okay so how on a similar vein how do you get people in other departments especially if you have someone who's in charge of that risk or compliance and security team how do you get them to become a risk manager and and establish the mindset across the company that this is important and something that they should care about even if it's an additional thing on their desk yeah this is uh this is another classic actually you know what i find this to be very interesting because when you kind of look at uh you can pick up any textbook you know risk management framework that you want uh there's a lot of components to it but i think one of the most important pieces is risk culture right and that probably is the big shift that you're trying to make it's not about turning everybody into a process manager and doing extra paperwork i mean there's a utility in that and then you know that you will accomplish something clearly with that exercise because you're applying discipline something you're going to make something better but um it it takes more than that in order to make the culture shift and for people to really have a deep awareness of risk um to understand um you know what what their role is in terms of risk management because going back to everybody is a risk manager there's nobody who isn't maybe it's a different level of risk maybe a specific type of risk but everybody is a risk manager in our organization so this is something that you need to be mindful of in terms of your program i mean some of it starts with process because process gets you accustomed to focusing on it but it's not just about doing something extra it's really about doing what you're doing differently and more than that it's about thinking about what you're doing differently so it's never really if if you end up having a culture where you know risk is something you do extra and you do it at these times and then someone's gonna check you know that's um um that's probably not exactly the shift that you're trying to go for right and ultimately if you're having those things and there's going to be some element of that what you want to do is make sure that what that does is enable people to really start thinking more actively about risk in their role that's what you want to get to it requires communication over time and for people to understand not just what they're supposed to do but why they're doing it i'm not sure i can give you a magic answer for how to make that leap like that and you're always having new people come into the organization and that's why it's culture right it's coming into your culture so how do you how do you kind of have that be something that becomes part of your dna and is carried forward over time well i think one of the things that we talk about related to that as well is a lot when we talk to companies that are starting out their compliance journey they started out earlier even if they don't get sucked too early but they at least think about what their what it's going to mean to do compliance down the road you establish that culture of it earlier and so the same idea if you start talking about risk assessment outside of the founder's head and as a little bit of a conversation whether it's a formal process or not earlier then when you're a bigger company you're not suddenly going oh we need to shift our culture to be to be a culture of risk and and to think about that you know it grows inherently right in organization and that's you know yeah there's there's a lot of power in in talking about things and keeping the dialogue going right and so always having risk on the agenda always talking about it finding ways to kind of incorporate that so once you've got those you know hopefully it's increasing your culture people are taking part in all those um processes do you have any tips for getting stakeholders to document that process especially as the organization's growing people might be changing roles there might be turnover how do you how do you get them to write it down yeah well i mean part of it is is having you know it's always harder to do things after the fact so kind of like as things evolve you need to be keeping up with the documentation as opposed to going back and and you know documenting things that happened a while ago but technology helps a lot right and we're seeing a lot more options for that these days than there ever have been um you know more times like when we talk to companies these days i'm i'm finding more and more that um folks are thinking about enabling technology earlier in kind of risk management as opposed to kind of you know doing things in an incredibly manual way and then five to ten years later you know buying a system for it um there's just um more options out there these days and and things that can help you earlier on without as much investment as it might have taken before yeah i have one last question for you is there a good source of risk factors that they that organizations can maybe assess against like a comprehensive place where they can kind of go oh these are some common risks i think that they can try and figure it if they have a massive blind spot well you know it's um there are a lot of frameworks out there and if you're looking at something like it then there's the standard ones that that often come up like the nist and the isos and the you know soft reporting trust criteria cobit um you know there's lots of uh places to look for inspiration for making sure that you're being comprehensive in your thinking when you're identifying risks right if you're talking about your specific business then you kind of almost need an industry print for you what your business does to think about your offer let's call it your operational risk or write it and so that becomes a little more challenging because you need to find a source that is similar to what your company does um and but at the end of the day uh it still comes down to uh the people in your business that that understand the risks that kind of see it every day that's an important source as well right i mean that's the primary sources you want to find out what your specific risks are while you're kind of inspired by the frameworks that are out there yeah perfect that makes sense to me well i don't have any more questions uh so thank you so much for your wisdom and your time kai has been very very insightful and i definitely feel a lot more confident about risk assessments now and hopefully our viewers do as well so thank you again for everyone else we will be doing an introduction to sock 2 in november so join us then uh thanks again kai have a great day thank you appreciate it take care bye

Info

Channel: Tugboat Logic by OneTrust

Views: 8,193

Rating: undefined out of 5

Keywords:

Id: V0CGyEUL3ys

Channel Id: undefined

Length: 53min 7sec (3187 seconds)

Published: Fri Oct 22 2021