182151_634571400531285000 (1)
TRANSCRIPT
-
7/21/2019 182151_634571400531285000 (1)
1/27
Risk MonitoringWeek #4 CRISC Exam Prep ~ Domain #3
Bill Pankey
!nitas "ro!p
-
7/21/2019 182151_634571400531285000 (1)
2/27
$o% Pra&ti&e
Colle&t an' (ali'ate 'ata t)at meas!re key risk in'i&ators*+RIs, to monitor an' &omm!ni&ate t)eir stat!s to rele(antstake)ol'ers-
Monitor an' &omm!ni&ate key risk in'i&ators *+RIs, an'
management a&ti(ities to assist rele(ant stake)ol'ers in t)eir'e&ision.making pro&ess-
/a&ilitate in'epen'ent risk assessments an' risk managementpro&ess re(ie0s to ens!re t)ey are per1orme' e2&iently an'
ee&ti(ely-
I'enti1y an' report on risk in&l!'ing &omplian&e to initiate&orre&ti(e a&tion an' meet %!siness an' reg!latoryre6!irements-
CRISCRisk
MonitoringDomain
-
7/21/2019 182151_634571400531285000 (1)
3/27
3
7gen'a
+ey Risk In'i&ators W)at are t)ey
8o0 to &onstr!&t
8o0 are t)ey !se'
8o0 are t)ey impro(e'
8o0 are t)ey reporte'
Data 7ggregationBen&)marking
No distinct RiskIT monitoring process
-
7/21/2019 182151_634571400531285000 (1)
4/27
4
Expansi(e 9ie0 o1 :Risk
Monitoring;
Risk "o(ernan&e ee&ti(enesso1 t)e risk managementprogram an' re&ommen'impro(ement *C
-
7/21/2019 182151_634571400531285000 (1)
5/27
?
n' 'e&reasing
7''e' opport!nity to manage risk
Surprisingly, statements a%o!t &)anges is risk are lessam%ig!o!s more o%=e&ti(e t)an t)e statement o1 risk
-
7/21/2019 182151_634571400531285000 (1)
6/27
F
+ey Risk In'i&ator *+RI,
Metri& > o%ser(ation !se' to tra&k risk le(el at spe&i& time point
0)ere likely !na&&epta%le loss or Gtro!%le a)ea'H
In'i&ator %e&omes GkeyH 0)en ra&ks an important risk
Is relia%le &ost ee&ti(e
# of unpatched systems is a risk in'i&ator%!t may not %e GkeyH W)at is t)e risk t)at is %eing tra&ke'
8o0 important is t)at risk
-
7/21/2019 182151_634571400531285000 (1)
7/27J
+RI are not +PI +PI &o!l' %e +RI
+RI are leadingin'i&ators Inten'e' to %e pre'i&ti(e o1 1!t!re loss > o!t&ome
+ey Per1orman&e In'i&ators are lagging
in'i&ators Report on a&&omplis)ment o1 a&ti(ity > pro&ess
7 gi(en +PI &o!l' %e !se' as a +RI or&omponent o1 +RI
K o1 Aexpe&te' 1!n&tion points 'eli(ere' on time
Meas!re o1 pro=e&t e2&ien&y > &o!l' %e !se' asin'i&ator o1 pro=e&t 'eli(ery risk
i i k
-
7/21/2019 182151_634571400531285000 (1)
8/27L
+RI proxies RiskMeas!res
So!r&e Risk Management 7sso&iation NN? s!r(ey o1
Operationalriskmanagement
Strategy
Normalization
Riskommunication
ompliance !!!
+RI @ses
-
7/21/2019 182151_634571400531285000 (1)
9/27O
W)y +RI are Important
RIS+ /7C s&enario
C)ange in risk 1a&tor Asome risk in'i&ator Qogi&ally an' Atypi&ally temporally prior to risk
e(ent
-
7/21/2019 182151_634571400531285000 (1)
10/27N
+RI Sele&tion
@nlimite' # o1 risk in'i&ators in logs alarmsreports
W)at to sele&t 1or reg!lar monitoring as +PI Ree&ts management prioritiesStake)ol'er &on&ern
Strategi& an' > or operational %!siness impa&t
Management !tility > %asis o1 management reportBasis 1or risk &omm!ni&ation
:W)at gets meas!re' gets 'one; Dr!&ker )e Pra&ti&eo1 Management
-
7/21/2019 182151_634571400531285000 (1)
11/27
+PI "oo'ness Criteria
- 7sso&iate' 0it) one or more speci"c risks
- Meas!rea%le at spe&i& points in time
3-
-
7/21/2019 182151_634571400531285000 (1)
12/27
+PI "oo'ness Criteria
- !antie' *# K ratio rate,
- Well 'ene' > repro'!&i%le
3-ime in'epen'en&e
4- AB!siness Pro&ess in'epen'en&e
?- 7!'ita%le
F- Compara%le a&ross organiTations *,
Compara%ility
-
7/21/2019 182151_634571400531285000 (1)
13/273
+PI "oo'ness Criteria
- imely rea'ily a(aila%le in reasona%letime 1rame
- Cost ee&ti(e to &olle&t as apro'!&tion o1 a!tomate' system %y.pro'!&t o1 pro&ess or ser(i&e
3-
-
7/21/2019 182151_634571400531285000 (1)
14/274
+PI Pro&ess Steps
- Data a&&ess Ens!re timely relia%le 'ata 'eli(ery
- Data (ali'ation Mat&) 'enition &omplete 0it)in range missing
'ata*, '!pli&ates *, relia%ility o1 'eri(e' (al!esGre1erentialH integrity
reasona%leness &)e&ksU
3- Data analysis
Statisti&al &omp!tations Con&l!sions > in1eren&e
4- Reporting Rig)t people rig)t 1ormat
IS7C7Best
Pra&ti&e
-
7/21/2019 182151_634571400531285000 (1)
15/27?
+PI
-
7/21/2019 182151_634571400531285000 (1)
16/27F
+PI 9ali'ity Ca!sal/a&tors
@tiliTe expertise o1 s!%=e&t matter expertspro&ess an' ser(i&e o0ners
-I'enti1y t)e risk s&enarios o1 greatest &on&ern
-De&ompose s&enario into lea'ing risk 1a&tors
3-I'enti1y in'i&ators 1or t)ose 1a&tors
-
7/21/2019 182151_634571400531285000 (1)
17/27J
+PI iming
Clinger.Co)en 7&t o1 OOF ne0 'eman' 1or &ertie' Ipro1essional+RI In'!stry Salary In'ex *ann!al,
Qoss o1 key I personnel+RI Mi'.le(el Sta retentionrate
/aile' I pro=e&t
Early in'i&ation greateropport!nity 1or &orre&tion
P 7 ti Ri k
-
7/21/2019 182151_634571400531285000 (1)
18/27L
Pro.7&ti(e RiskManagement
-
7/21/2019 182151_634571400531285000 (1)
19/27O
7ggregation
7''ress management &on&ern regar'ingGo(erallH risk
Spe&i& %!siness o%=e&ti(es Strategi& V
-
7/21/2019 182151_634571400531285000 (1)
20/27
N
7ggregation
Di(ersity Pro%lem/or 'ierent risk 'omains *say I Qegal/inan&e --,+RI are spe&ialiTe'
+RI )a(e 'ierent time perio's+RI )a(e 'ierent gran!larity
+RI )a(e (arying sensiti(ity
+RI )a(e (arying rele(an&e relia%ility an' (ali'ity
This is a prolem that is not sol$ed so muchas o$ercome
-
7/21/2019 182151_634571400531285000 (1)
21/27
7ggregation 8e!risti&
Report risk as 'imensionless 6!antity *ko!ntsK,
Report risk as K re' yello0 green Co'e ea&) +PI relati(e to t)res)ol' *re' or green,
/or ea&) risk &o!nt t)e n!m%er o1 asso&iate' +PI a%o(eo1 %elo0 t)res)ol'
Report risk as in&reasing o1 'e&reasing # +PI in'i&ating lesser risk > # +PI in'i&ating greater risk
Qoss 'ata C!m!lati(e impa&t o1 loss e(ents
Possi%le impa&t o1 :manage' e(ents;*inter(ention,
-
7/21/2019 182151_634571400531285000 (1)
22/27
Management Report
9is!al 'isplay o1 risk %ase' on riskin'i&ators
Wit) t)anks to Ex&el easy to pro'!&e Das)%oar's -Re' lig)t > green lig)t
Gga!gesH
8eat Maps
Spi'er Diagrams
In'!stry Risk
-
7/21/2019 182151_634571400531285000 (1)
23/27
3
In'!stry RiskBen&)marks
Colle&tion s!mmariTation o1 risk 'ata Qoss 'ata
+RI
So!r&e 1or 9ali'ation o1 enterprise res!lts
ren' analysis
Risk analysis 'ata Comparati(e %en&)marking *&ompany,
e g Stan'ar' +PI
-
7/21/2019 182151_634571400531285000 (1)
24/27
4
e-g- Stan'ar' +PISpe&i&ation
000- +RIeX-org Repository
~ ?NN +PI spe&ie' an' monitore'
-
7/21/2019 182151_634571400531285000 (1)
25/27
?
e-g- Qoss Data
-
7/21/2019 182151_634571400531285000 (1)
26/27
F
Bottom Qine
Express organiTational Yrisk appetiteHin terms o1 a +PI t)res)ol' (al!e
7lert management to tren's t)at may
ae&t a&)ie(ement o1 o%=e&ti(es @se +PI to initiate mitigation a&ti(ity
Pro(i'es meas!ra%le 'ata &on'!&i(e
to aggregation 7ssists in 'emonstrating &omplian&e
-
7/21/2019 182151_634571400531285000 (1)
27/27
J
Zext Week
CRISC Domain #4Control Design Implementation