Establishing the Core of an Effective Technology Risk Management Program
0 likes27 views
The document discusses establishing an effective technology risk management program with three key elements: 1) Begin with the desired outcomes in mind such as effective risk management, continuous compliance monitoring, and minimal business disruption. 2) Research applicable laws and regulations to understand technology and security control requirements and leverage existing frameworks to streamline compliance. 3) Establish standard processes, roles, and governance around risk management including standardized risk, control and issue tracking, approval workflows, and leadership reporting to ensure accountability.
Establishing the Core of an Effective Technology Risk Management Program
- 1. Establishing the Core of an Effective Technology Risk Management Program Director, Security Development and Engineering
- 2. Effective risk management helps a company pursue opportunity within the firm’s risk appetite in a controlled way Risk and value are two sides of the same coin Risk appetite is the level of risk that an organization is willing to accept while pursuing its objectives, and before any action is determined to be necessary in order to reduce the risk. Risk is an opportunity
- 3. Begin with the end in mind ➢Effective and efficient risk management ➢Continuous demonstration of compliance status ➢Minimal out of the business-as-usual effort by operational and risk management teams “We may be very busy, we may be very efficient, but we will also be truly effective only when we begin with the end in mind.” Steven Covey
- 4. What laws and regulations apply to your company or your upstream partners and customers?
- 6. The fog can be lifted – excellent resources are already available! Research and Whitepapers ▪ The core / intent of technology and security controls are similar among regulations ▪ Leverage existing frameworks and control mapping crosswalks to deduplicate, and gets single set of required applicable controls
- 7. Control Testing (Pass/Fail) Issue (Open/ Close) Action Plan (Complete/ Incomplete Control Effective or Ineffective Process Level Risk Mitigated or Not Mitigated Risk Category Rating Regulatory and Compliance Requirements Board Regulators / Audit / Customers Regulations Internal Compliance Contracts Policies and Standards Requirements GRC Overview Process Risk Control Process Owner Risk Acceptance
- 8. Prerequisites to Success: Standardization - Save the user creativity for art class • Correct mapping for laws > requirements > processes > risks > controls • Lock down process, risk, control libraries and instantiate with limited flexibility • Mandatory fields with standardized response options Build infrastructure and guardrails from the start – An ounce of prevention • Approval workflows for changes to key fields (dates, ratings, etc.) • Preventative controls for data quality and integrity • Access control Clarify roles, responsibilities, and educate - No time for guesswork • Control owner identification and education • Automated system notifications for key actions and dates • Leadership reporting with consequences ✓ Standardization ✓ Governance ✓ Accountability
- 9. ISO 31000 Now that you have a strong core: use it to support the overall risk management process
- 10. Action Item for Today: Identify the (top) 3 regulatory oversight agencies, or regulations / standards that impact your company.