How To Integrate Business Risk & IT Risk
Alex Hollis, VP, GRC Services
1

Disclaimer
Presentations are intended
for educational purposes
only and do not replace
independent professional
judgment.
Risk is a complex word with many
different definitions and approaches,
there is no one size fits all advice,
method or process to achieving
successful operational and IT risk
management.

3
Introduction
During this session you will leave with…
An Appreciation of Integrated
Risk challenges
An Understanding of how
Operational and IT Risk
must work together
An approach for creating a
model within your own
business
1
2
3

What is IRM?
www.surecloud.com © 2019 SureCloud. All rights reserved. 4
Automating and integrating
strategic, operational and IT risk
management.

5
IRM will catch you out
The easy solution won’t scale.
Start today it’ll only get harder.
42% Require Substantial Work.
www.surecloud.com © 2019 SureCloud. All rights reserved.
Complexity
Size of Company

6
A simple example
• Single location
• No ‘corporate’ unit
• <5 Employees
• <5 Suppliers
• 1 x IP-Address-less till
• Boilerplate compliance
• Simple continuity plans
• Not a big target for fraud/crime
www.surecloud.com © 2019 SureCloud. All rights reserved.

7
A complex example
• Multiple locations
• Multiple business units
• 100+ Staff
• 50+ Suppliers
• Regulation
• Custom compliance
• Complex networked EPOS system
• Back office IT systems
• Online store front
• More of a target for fraud / crime
www.surecloud.com © 2019 SureCloud. All rights reserved.

8
Excel hell
www.surecloud.com © 2019 SureCloud. All rights reserved.

9
What is IRM?
www.surecloud.com © 2019 SureCloud. All rights reserved.
Third Party
Audit
Compliance
Policy
Risk
GDPR,
PCI & ISO
IRM Platform
Third Party
Audit
GDPR
Policy
Compliance
Risk
PCI
ISO
IRM Niche Tools

10
What do we need?
www.surecloud.com © 2019 SureCloud. All rights reserved.
Context
Collaboration
Reporting
Transparency
Communication
Agility
Accountability

11
Why is it so difficult?
www.surecloud.com © 2019 SureCloud. All rights reserved.
Risk is a
discussion
No common
language
Limited
top down
support
Methods, scale,
approach all
differ
Everything is a
negotiation

12
Always Be Certain
Op Risk & IT
Risk IRM
www.surecloud.com © 2019 SureCloud. All rights reserved.

13
Operational Risk
www.surecloud.com © 2019 SureCloud. All rights reserved.
What is
important?
What is
dangerous?
What is real?

14
The overall picture
www.surecloud.com © 2019 SureCloud. All rights reserved.
Strategic
Operational
Functional

15www.surecloud.com © 2019 SureCloud. All rights reserved.
IRM

16www.surecloud.com © 2019 SureCloud. All rights reserved.

17www.surecloud.com © 2019 SureCloud. All rights reserved.

18www.surecloud.com © 2019 SureCloud. All rights reserved.
After
Before
IRM

19
Bridging the divide
www.surecloud.com © 2019 SureCloud. All rights reserved.
Business
Objectives
Business
Processes
Applications
Infrastructure

20
Building a Model
www.surecloud.com © 2019 SureCloud. All rights reserved.

21www.surecloud.com © 2019 SureCloud. All rights reserved.
Step 1: Entities
Step 2:
Relationships
Step 3:
Realise
Step 1: Document the
entities

22www.surecloud.com © 2019 SureCloud. All rights reserved.
Step 1: Entities
Step 2:
Relationships
Step 3:
Realise
The purpose of the Board of Directors’ Risk Policy Committee (“DRPC”) is to assist the Board in its oversight of the operation of the
Firm’s global risk management framework and to approve and periodically review the primary risk-management policies of the Firm’s
global operations.
The Committee’s responsibilities include oversight of management’s exercise of its responsibility to assess and manage:
• credit risk
• market risk
• investment risk
• liquidity risk
• country risk
• estimations and model risk
• operational risk
• compliance risk including fiduciary risk
The governance frameworks or policies for risk identification, risk appetite, reputational risk, and conduct risk; and capital and
liquidity planning and analysis.
The DRPC oversees reputational risks and conduct risks within its scope of responsibility.
-JP Morgan Chase (https://www.jpmorganchase.com/corporate/About-JPMC/ab-risk-committee.htm)

23www.surecloud.com © 2019 SureCloud. All rights reserved.
Step 1: Entities
Step 2:
Relationships
Step 3:
Realise
The purpose of the Board of Directors’ Risk Policy Committee (“DRPC”) is to assist the Board in its
oversight of the operation of the Firm’s global risk management framework and to approve and
periodically review the primary risk-management policies of the Firm’s global operations.
The Committee’s responsibilities include oversight of management’s exercise of its responsibility to
assess and manage:
credit risk, market risk, investment risk, liquidity risk, country risk, estimations and model
risk, operational risk, and compliance risk including fiduciary risk
the governance frameworks or policies for risk identification, risk appetite, reputational risk,
and conduct risk; and capital and liquidity planning and analysis.
The DRPC oversees reputational risks and conduct risks within its scope of responsibility.
-JP Morgan Chase (https://www.jpmorganchase.com/corporate/About-JPMC/ab-risk-committee.htm)

24www.surecloud.com © 2019 SureCloud. All rights reserved.
Step 1: Entities
Step 2:
Relationships
Step 3:
Realise
Risk
Management
Framework
Risk
(various
types)
Risk
Appetite
Governance
Framework
Oversight
Operations
Oversight
Management
Capital
Liquidity and
Planning
Risk
Identification
Risk
Category /
Taxonomy
Policies
(including risk
management
policies)

25www.surecloud.com © 2019 SureCloud. All rights reserved.
Risk Management Framework Governance Framework
Capital
Liquidity and
Planning
Risk
(various
types)
Risk
Appetite
Risk
Identification
Risk Category /
Taxonomy
Oversight
Operations
Oversight
Management
Policies
(including risk
management
policies)
Step 1: Entities
Step 2:
Relationships
Step 3:
Realise

26www.surecloud.com © 2019 SureCloud. All rights reserved.
Step 1: Entities
Step 2:
Relationships
Step 3:
Realise
• Objective / Goal
• Department / Function / BU
• Process
• Application
• Information
• Infrastructure / Devices
• Incidents
• Vulnerabilities
• Third Parties
• Risk
• Control
• Policy
• Regulation

27www.surecloud.com © 2019 SureCloud. All rights reserved.
Step 1: Entities
Step 2:
Relationships
Step 3:
Realise
Business
Objective
Department
/ Function
Business
Processes
Supply / Third Party
Risk Control Policy Regulations Actions/Tasks
Information
Incidents
VulnerabilitiesInfrastructure
Applications

28www.surecloud.com © 2019 SureCloud. All rights reserved.
Step 1: Entities
Step 2:
Relationships
Step 3:
Realise

29www.surecloud.com © 2019 SureCloud. All rights reserved.
Step 1: Entities
Step 2:
Relationships
Step 3:
Realise
Business
Objective
Department /
Function
Business
Processes
Supply / Third Party
Information
Incidents
Vulnerabilities
Infrastructure
Risk Control Policy Regulations Actions/Tasks
Applications

30www.surecloud.com © 2019 SureCloud. All rights reserved.
Step 1: Entities
Step 2:
Relationships
Step 3:
Realise
Ability to change
Abilitytohandlecomplexity
Custom Program
Excel
GRC Technology
Pen & Paper
DMS

31www.surecloud.com © 2019 SureCloud. All rights reserved.
Step 1: Entities
Step 2:
Relationships Step 3: Realise

32
Who am I?
I have over 16 years’ experience in IT, mobile
technology and software development. I have spent the
last seven years specializing in governance, risk, and
compliance (GRC). After just six months in the industry, I
received a platinum-level excellence award for my work
around risk bow-tie modeling, Solvency 2 and Basel 3.
Now focusing primarily on operational risk, I have
analyzed, designed and implemented GRC technology
into 60 companies, including some of the largest and
most complex environments. My experience spans
multiple sectors, including telecommunications,
aviation, pharmaceuticals, manufacturing, retail, public
sector, financial services and insurance.
www.surecloud.com © 2019 SureCloud. All rights reserved.
Email Twitter LinkedIn
Alex Hollis - VP, GRC Services
Thank You

Thank you
www.surecloud.com