SlideShare a Scribd company logo

Business oriented risk management approach luís martins

Luis Martins
Luis Martins
1 of 26
Download to read offline
Business Oriented Risk Management Approach 2nd IT GRC Meeting 2011 - Lisbon
Agenda 1. The problem 2. State of the Art 3. Business Oriented Risk Management Approach 4. Enlightenment starts here and now 5. Prioritizing investments 6. Ensuring repeatability 7. A Global Risk Framework 8. Conclusions 9. Q&A 17/10/2011 2nd IT GRC Meeting 3
Introduction Modern organizations, which want to ensure information security of their assets, need to establish and maintain effective information security management systems. These systems, in turn, must integrate a well balanced set of safeguards selected on the basis of the existing risks and business needs. 17/10/2011 2nd IT GRC Meeting 4
Introduction What are your organization’s most pressing IT Risk issues? The answer probably depends somewhat on your job and the perspective it gives you. It’s always about managing risk at some cost. In the absence of metrics, we tend to over-compensate and focus on risks that are either familiar or recent. 17/10/2011 2nd IT GRC Meeting 5
Introduction Risk management needs to be business-oriented. Identify assets and processes that are critical to business and determine what must be done to protect them. 17/10/2011 2nd IT GRC Meeting 6
The problem 1. That’s too generic – I don’t see how it can work. E.g. “new version will be released late” it says nothing about the real problem – potential reason why there can be a slip. A reason should be named, not a result. 17/10/2011 2nd IT GRC Meeting 7
The problem 2. That’s too detailed – I don’t understand the problem. E.g. “problems with multithreading in new API function will result in overrunning code complete milestone”, that’s something no one understands. Either make it understandable or throw it away. 17/10/2011 2nd IT GRC Meeting 8
The problem 3. Where’s the avoidance plan? Usually it’s easy to name the threat and rather not difficult to find an emergency plan. But when you don’t equip your risk with a good avoidance plan it’s almost worthless. Of course sometimes no matter how hard you try you won’t come up with anything reasonable. Then you just accept the risk is going to materialize. 17/10/2011 2nd IT GRC Meeting 9
The problem 4. I don’t see any change … In the top 5 list there’s always the same set of risks, the same set of people responsible for them and the same things told. “This week nothing changed.” If really nothing changed person responsible for the risk should be “ashamed”. Usually something has changed but it’s not reported because it doesn’t seem important. 17/10/2011 2nd IT GRC Meeting 10
The problem 5. Hey, that’s yet another thing I have to do! Unless people believe that it really works it’ll always be something they do because they have to. 17/10/2011 2nd IT GRC Meeting 11
The problem 6. I don’t believe in that! Unless people believe that it really works it’ll always be something they do because they have to. Even when it starts working, results are usually seen from the management level but most of the team doesn’t see a difference. They have to see it work! 17/10/2011 2nd IT GRC Meeting 12
State of the Art Most Organizations are 4 here 3 Business 2 Oriented Risk Based 1 Compliance & in-depth Threat Defense Defense Tactical Strategic 17/10/2011 2nd IT GRC Meeting 13
State of the Art Business 4 Oriented Compliance 3 Risk Based & in-depth 2 Defense Threat 1 Defense 17/10/2011 2nd IT GRC Meeting 14
Business … … Oriented Risk Management Approach: Business Risk Operations Incident governance management management management 17/10/2011 2nd IT GRC Meeting 15
Business … … Oriented Risk Management Approach: Business governance • Define business objectives • Define business-level risk targets • Define business-critical assets 17/10/2011 2nd IT GRC Meeting 16
Business … … Oriented Risk Management Approach: Risk management • Understand external and internal threat landscape • Identify vulnerabilities • Classify high-value assets 17/10/2011 2nd IT GRC Meeting 17
Business … … Oriented Risk Management Approach: Operations management • Prioritize work by risk • Add security controls where needed • Maximize monitoring and visibility 17/10/2011 2nd IT GRC Meeting 18
Business … … Oriented Risk Management Approach: Incident management • Identify security events • Prioritize by business • impact • Report to business owners 17/10/2011 2nd IT GRC Meeting 19
Business … … Oriented Risk Management Approach: Business Risk Operations Incident governance management management management • Define business • Understand external • Prioritize work by risk • Identify security events objectives and internal threat • Add security controls • Prioritize by business • Define business-level landscape where needed • impact risk targets • Identify vulnerabilities • Maximize monitoring • Report to business • Define business-critical • Classify high-value and visibility owners assets assets 17/10/2011 2nd IT GRC Meeting 20
Enlightment … … starts here and know! There is a process of enlightenment that organizations need to go through to effectively manage risk. 17/10/2011 2nd IT GRC Meeting 21
Prioritizing … … investments … … based on the amount of risk a given activity entails relative to the potential business reward, and in keeping with the organization’s appetite for risk. 17/10/2011 2nd IT GRC Meeting 22
Ensuring … … repeatability. Once enterprise information has been located and a risk assessment was made, the next step is to implement controls — including policies, technologies and tools — to mitigate that risk. 17/10/2011 2nd IT GRC Meeting 23
A Global … … Risk Framework. For critical data, a global risk framework should provide an holistic view of risk across lines of business and operations. 17/10/2011 2nd IT GRC Meeting 24
Conclusions Are enterprises ready to embrace risk management as a business accelerator? Roughly 20 percent of enterprises already ‘get it’! Another 60 percent are ready for that message but are not fully on board … and the remaining 20 percent are still back in the mindset that risk management is an inhibitor. 17/10/2011 2nd IT GRC Meeting 25
Q&A Luís Martins luis.martins@glintt.com 17/10/2011 2nd IT GRC Meeting 26

Recommended

How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...IT Network marcus evans
 
Outsourcing from a strategic management perspective by friedrich blase and da...
Outsourcing from a strategic management perspective by friedrich blase and da...Outsourcing from a strategic management perspective by friedrich blase and da...
Outsourcing from a strategic management perspective by friedrich blase and da...David Cunningham
 
Conversations oneffectiveit management
Conversations oneffectiveit managementConversations oneffectiveit management
Conversations oneffectiveit managementComputer Aid, Inc
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover StoryTorrid Networks Private Limited
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
Riskpro construction industry
Riskpro construction industryRiskpro construction industry
Riskpro construction industryRahul Bhan (CA, CIA, MBA)
 
How do you monitor your Basel III compliance?
How do you monitor your Basel III compliance? How do you monitor your Basel III compliance?
How do you monitor your Basel III compliance? Pactera_US
 
Jag Presentation V120601
Jag Presentation V120601Jag Presentation V120601
Jag Presentation V120601jagagnonconsultant
 

Recommended

How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...IT Network marcus evans
 
Outsourcing from a strategic management perspective by friedrich blase and da...
Outsourcing from a strategic management perspective by friedrich blase and da...Outsourcing from a strategic management perspective by friedrich blase and da...
Outsourcing from a strategic management perspective by friedrich blase and da...David Cunningham
 
Conversations oneffectiveit management
Conversations oneffectiveit managementConversations oneffectiveit management
Conversations oneffectiveit managementComputer Aid, Inc
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover StoryTorrid Networks Private Limited
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
Riskpro construction industry
Riskpro construction industryRiskpro construction industry
Riskpro construction industryRahul Bhan (CA, CIA, MBA)
 
How do you monitor your Basel III compliance?
How do you monitor your Basel III compliance? How do you monitor your Basel III compliance?
How do you monitor your Basel III compliance? Pactera_US
 
Jag Presentation V120601
Jag Presentation V120601Jag Presentation V120601
Jag Presentation V120601jagagnonconsultant
 
Riskpro Construction Industry
Riskpro Construction IndustryRiskpro Construction Industry
Riskpro Construction IndustryRahul Bhan (CA, CIA, MBA)
 
Riskpro construction industry 2013
Riskpro construction industry 2013Riskpro construction industry 2013
Riskpro construction industry 2013Rahul Bhan (CA, CIA, MBA)
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecLaura Tibbo
 
Dynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetDynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetClear Technologies
 
Taming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperTaming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperIBM India Smarter Computing
 
symantec IRFSQ308
symantec IRFSQ308symantec IRFSQ308
symantec IRFSQ308finance40
 
A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiA Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiAnup Narayanan
 
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...Roger Bottum
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvmamhunter22
 
Managing Risk in IT
Managing Risk in ITManaging Risk in IT
Managing Risk in ITNTEN
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Enterprising Non-Profits
 
Riskpro construction industry 2013
Riskpro construction industry 2013Riskpro construction industry 2013
Riskpro construction industry 2013Rahul Bhan (CA, CIA, MBA)
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySaskSummit
 
AIE- A New Method for Quantifying IT Value
AIE- A New Method for Quantifying IT ValueAIE- A New Method for Quantifying IT Value
AIE- A New Method for Quantifying IT ValueJody Keyser
 
Relating Enterprise Strategy
Relating Enterprise StrategyRelating Enterprise Strategy
Relating Enterprise StrategyToby_Vivek
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonPatricia M Watson
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013Rahul Bhan (CA, CIA, MBA)
 
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierFrom technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
 
D M E S M Whitepaper
D M E S M WhitepaperD M E S M Whitepaper
D M E S M WhitepaperAutomotive Social Media Marketing Reputation Management
 
Successful Social Media Marketing Campaign, 140 Characters at a Time
Successful Social Media Marketing Campaign, 140 Characters at a TimeSuccessful Social Media Marketing Campaign, 140 Characters at a Time
Successful Social Media Marketing Campaign, 140 Characters at a TimeKeith Parnell
 
12th Annual Godwin Wong Business Plan Competition
12th Annual Godwin Wong Business Plan Competition12th Annual Godwin Wong Business Plan Competition
12th Annual Godwin Wong Business Plan Competitionvarlamovdenis
 
How To - Of Inbound Marketing
How To - Of Inbound MarketingHow To - Of Inbound Marketing
How To - Of Inbound MarketingMarcus Tewksbury
 

More Related Content

What's hot

Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecLaura Tibbo
 
Dynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetDynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetClear Technologies
 
Taming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperTaming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperIBM India Smarter Computing
 
symantec IRFSQ308
symantec IRFSQ308symantec IRFSQ308
symantec IRFSQ308finance40
 
A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiA Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiAnup Narayanan
 
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...Roger Bottum
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvmamhunter22
 
Managing Risk in IT
Managing Risk in ITManaging Risk in IT
Managing Risk in ITNTEN
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Enterprising Non-Profits
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySaskSummit
 
AIE- A New Method for Quantifying IT Value
AIE- A New Method for Quantifying IT ValueAIE- A New Method for Quantifying IT Value
AIE- A New Method for Quantifying IT ValueJody Keyser
 
Relating Enterprise Strategy
Relating Enterprise StrategyRelating Enterprise Strategy
Relating Enterprise StrategyToby_Vivek
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonPatricia M Watson
 
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierFrom technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
 

What's hot (18)

Riskpro Construction Industry
Riskpro Construction IndustryRiskpro Construction Industry
Riskpro Construction Industry
 
Riskpro construction industry 2013
Riskpro construction industry 2013Riskpro construction industry 2013
Riskpro construction industry 2013
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
 
Dynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetDynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value Sheet
 
Taming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperTaming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paper
 
symantec IRFSQ308
symantec IRFSQ308symantec IRFSQ308
symantec IRFSQ308
 
A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiA Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
 
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
Dynamic Case Management: Taming Untamed Processes with SpringCM and Forrester...
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvma
 
Managing Risk in IT
Managing Risk in ITManaging Risk in IT
Managing Risk in IT
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)
 
Riskpro construction industry 2013
Riskpro construction industry 2013Riskpro construction industry 2013
Riskpro construction industry 2013
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir Fancy
 
AIE- A New Method for Quantifying IT Value
AIE- A New Method for Quantifying IT ValueAIE- A New Method for Quantifying IT Value
AIE- A New Method for Quantifying IT Value
 
Relating Enterprise Strategy
Relating Enterprise StrategyRelating Enterprise Strategy
Relating Enterprise Strategy
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
 
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierFrom technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
 

Viewers also liked

Successful Social Media Marketing Campaign, 140 Characters at a Time
Successful Social Media Marketing Campaign, 140 Characters at a TimeSuccessful Social Media Marketing Campaign, 140 Characters at a Time
Successful Social Media Marketing Campaign, 140 Characters at a TimeKeith Parnell
 
12th Annual Godwin Wong Business Plan Competition
12th Annual Godwin Wong Business Plan Competition12th Annual Godwin Wong Business Plan Competition
12th Annual Godwin Wong Business Plan Competitionvarlamovdenis
 
How To - Of Inbound Marketing
How To - Of Inbound MarketingHow To - Of Inbound Marketing
How To - Of Inbound MarketingMarcus Tewksbury
 
Security meeting 2012 ID Theft
Security meeting 2012 ID TheftSecurity meeting 2012 ID Theft
Security meeting 2012 ID TheftLuis Martins
 
Resource Planning for Social Media Marketing - EBriks Infotech
Resource Planning for Social Media Marketing - EBriks InfotechResource Planning for Social Media Marketing - EBriks Infotech
Resource Planning for Social Media Marketing - EBriks InfotechEBriks Infotech Pvt. Ltd.
 
Leveraging Social Media Marketing: Lincoln Property Company Annual Marketing ...
Leveraging Social Media Marketing: Lincoln Property Company Annual Marketing ...Leveraging Social Media Marketing: Lincoln Property Company Annual Marketing ...
Leveraging Social Media Marketing: Lincoln Property Company Annual Marketing ...Erica Campbell Byrum
 

Viewers also liked (8)

D M E S M Whitepaper
D M E S M WhitepaperD M E S M Whitepaper
D M E S M Whitepaper
 
Successful Social Media Marketing Campaign, 140 Characters at a Time
Successful Social Media Marketing Campaign, 140 Characters at a TimeSuccessful Social Media Marketing Campaign, 140 Characters at a Time
Successful Social Media Marketing Campaign, 140 Characters at a Time
 
12th Annual Godwin Wong Business Plan Competition
12th Annual Godwin Wong Business Plan Competition12th Annual Godwin Wong Business Plan Competition
12th Annual Godwin Wong Business Plan Competition
 
How To - Of Inbound Marketing
How To - Of Inbound MarketingHow To - Of Inbound Marketing
How To - Of Inbound Marketing
 
Security meeting 2012 ID Theft
Security meeting 2012 ID TheftSecurity meeting 2012 ID Theft
Security meeting 2012 ID Theft
 
Digital dealer7 socialmarketing-v8
Digital dealer7 socialmarketing-v8Digital dealer7 socialmarketing-v8
Digital dealer7 socialmarketing-v8
 
Resource Planning for Social Media Marketing - EBriks Infotech
Resource Planning for Social Media Marketing - EBriks InfotechResource Planning for Social Media Marketing - EBriks Infotech
Resource Planning for Social Media Marketing - EBriks Infotech
 
Leveraging Social Media Marketing: Lincoln Property Company Annual Marketing ...
Leveraging Social Media Marketing: Lincoln Property Company Annual Marketing ...Leveraging Social Media Marketing: Lincoln Property Company Annual Marketing ...
Leveraging Social Media Marketing: Lincoln Property Company Annual Marketing ...
 

Similar to Business oriented risk management approach luís martins

Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk ManagementManoj Jain
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planningalanlund
 
Building the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your CompanyBuilding the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your CompanyAIIM International
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptxjamiejohngianna
 
Riskpro Business Risk Management
Riskpro Business Risk ManagementRiskpro Business Risk Management
Riskpro Business Risk ManagementManoj Jain
 
When IT Fails The Business Fails...
When IT Fails The Business Fails...When IT Fails The Business Fails...
When IT Fails The Business Fails...Gene Kim
 
Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...IBM Banking
 
121211 depfac ulb_master_presentation_v5_1
121211 depfac ulb_master_presentation_v5_1121211 depfac ulb_master_presentation_v5_1
121211 depfac ulb_master_presentation_v5_1Thibaut De Vylder
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 

Similar to Business oriented risk management approach luís martins (20)

Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro information risk management
Riskpro information risk managementRiskpro information risk management
Riskpro information risk management
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
#Kdk At εεχμτ 2010 12 03 V10
#Kdk At εεχμτ 2010 12 03 V10#Kdk At εεχμτ 2010 12 03 V10
#Kdk At εεχμτ 2010 12 03 V10
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
Building the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your CompanyBuilding the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your Company
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
 
Riskpro Legal And Compliance Audits
Riskpro Legal And Compliance AuditsRiskpro Legal And Compliance Audits
Riskpro Legal And Compliance Audits
 
Riskpro legal and compliance audits
Riskpro legal and compliance auditsRiskpro legal and compliance audits
Riskpro legal and compliance audits
 
Riskpro Legal And Compliance Audits
Riskpro Legal And Compliance AuditsRiskpro Legal And Compliance Audits
Riskpro Legal And Compliance Audits
 
Riskpro Legal And Compliance Audits
Riskpro Legal And Compliance AuditsRiskpro Legal And Compliance Audits
Riskpro Legal And Compliance Audits
 
Riskpro Legal And Compliance Audits
Riskpro Legal And Compliance AuditsRiskpro Legal And Compliance Audits
Riskpro Legal And Compliance Audits
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
 
Riskpro Business Risk Management
Riskpro Business Risk ManagementRiskpro Business Risk Management
Riskpro Business Risk Management
 
When IT Fails The Business Fails...
When IT Fails The Business Fails...When IT Fails The Business Fails...
When IT Fails The Business Fails...
 
Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...
 
121211 depfac ulb_master_presentation_v5_1
121211 depfac ulb_master_presentation_v5_1121211 depfac ulb_master_presentation_v5_1
121211 depfac ulb_master_presentation_v5_1
 
Riskpro construction industry 2013
Riskpro construction industry 2013Riskpro construction industry 2013
Riskpro construction industry 2013
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended Team
 

Business oriented risk management approach luís martins

  • 1.
  • 2. Business Oriented Risk Management Approach 2nd IT GRC Meeting 2011 - Lisbon
  • 3. Agenda 1. The problem 2. State of the Art 3. Business Oriented Risk Management Approach 4. Enlightenment starts here and now 5. Prioritizing investments 6. Ensuring repeatability 7. A Global Risk Framework 8. Conclusions 9. Q&A 17/10/2011 2nd IT GRC Meeting 3
  • 4. Introduction Modern organizations, which want to ensure information security of their assets, need to establish and maintain effective information security management systems. These systems, in turn, must integrate a well balanced set of safeguards selected on the basis of the existing risks and business needs. 17/10/2011 2nd IT GRC Meeting 4
  • 5. Introduction What are your organization’s most pressing IT Risk issues? The answer probably depends somewhat on your job and the perspective it gives you. It’s always about managing risk at some cost. In the absence of metrics, we tend to over-compensate and focus on risks that are either familiar or recent. 17/10/2011 2nd IT GRC Meeting 5
  • 6. Introduction Risk management needs to be business-oriented. Identify assets and processes that are critical to business and determine what must be done to protect them. 17/10/2011 2nd IT GRC Meeting 6
  • 7. The problem 1. That’s too generic – I don’t see how it can work. E.g. “new version will be released late” it says nothing about the real problem – potential reason why there can be a slip. A reason should be named, not a result. 17/10/2011 2nd IT GRC Meeting 7
  • 8. The problem 2. That’s too detailed – I don’t understand the problem. E.g. “problems with multithreading in new API function will result in overrunning code complete milestone”, that’s something no one understands. Either make it understandable or throw it away. 17/10/2011 2nd IT GRC Meeting 8
  • 9. The problem 3. Where’s the avoidance plan? Usually it’s easy to name the threat and rather not difficult to find an emergency plan. But when you don’t equip your risk with a good avoidance plan it’s almost worthless. Of course sometimes no matter how hard you try you won’t come up with anything reasonable. Then you just accept the risk is going to materialize. 17/10/2011 2nd IT GRC Meeting 9
  • 10. The problem 4. I don’t see any change … In the top 5 list there’s always the same set of risks, the same set of people responsible for them and the same things told. “This week nothing changed.” If really nothing changed person responsible for the risk should be “ashamed”. Usually something has changed but it’s not reported because it doesn’t seem important. 17/10/2011 2nd IT GRC Meeting 10
  • 11. The problem 5. Hey, that’s yet another thing I have to do! Unless people believe that it really works it’ll always be something they do because they have to. 17/10/2011 2nd IT GRC Meeting 11
  • 12. The problem 6. I don’t believe in that! Unless people believe that it really works it’ll always be something they do because they have to. Even when it starts working, results are usually seen from the management level but most of the team doesn’t see a difference. They have to see it work! 17/10/2011 2nd IT GRC Meeting 12
  • 13. State of the Art Most Organizations are 4 here 3 Business 2 Oriented Risk Based 1 Compliance & in-depth Threat Defense Defense Tactical Strategic 17/10/2011 2nd IT GRC Meeting 13
  • 14. State of the Art Business 4 Oriented Compliance 3 Risk Based & in-depth 2 Defense Threat 1 Defense 17/10/2011 2nd IT GRC Meeting 14
  • 15. Business … … Oriented Risk Management Approach: Business Risk Operations Incident governance management management management 17/10/2011 2nd IT GRC Meeting 15
  • 16. Business … … Oriented Risk Management Approach: Business governance • Define business objectives • Define business-level risk targets • Define business-critical assets 17/10/2011 2nd IT GRC Meeting 16
  • 17. Business … … Oriented Risk Management Approach: Risk management • Understand external and internal threat landscape • Identify vulnerabilities • Classify high-value assets 17/10/2011 2nd IT GRC Meeting 17
  • 18. Business … … Oriented Risk Management Approach: Operations management • Prioritize work by risk • Add security controls where needed • Maximize monitoring and visibility 17/10/2011 2nd IT GRC Meeting 18
  • 19. Business … … Oriented Risk Management Approach: Incident management • Identify security events • Prioritize by business • impact • Report to business owners 17/10/2011 2nd IT GRC Meeting 19
  • 20. Business … … Oriented Risk Management Approach: Business Risk Operations Incident governance management management management • Define business • Understand external • Prioritize work by risk • Identify security events objectives and internal threat • Add security controls • Prioritize by business • Define business-level landscape where needed • impact risk targets • Identify vulnerabilities • Maximize monitoring • Report to business • Define business-critical • Classify high-value and visibility owners assets assets 17/10/2011 2nd IT GRC Meeting 20
  • 21. Enlightment … … starts here and know! There is a process of enlightenment that organizations need to go through to effectively manage risk. 17/10/2011 2nd IT GRC Meeting 21
  • 22. Prioritizing … … investments … … based on the amount of risk a given activity entails relative to the potential business reward, and in keeping with the organization’s appetite for risk. 17/10/2011 2nd IT GRC Meeting 22
  • 23. Ensuring … … repeatability. Once enterprise information has been located and a risk assessment was made, the next step is to implement controls — including policies, technologies and tools — to mitigate that risk. 17/10/2011 2nd IT GRC Meeting 23
  • 24. A Global … … Risk Framework. For critical data, a global risk framework should provide an holistic view of risk across lines of business and operations. 17/10/2011 2nd IT GRC Meeting 24
  • 25. Conclusions Are enterprises ready to embrace risk management as a business accelerator? Roughly 20 percent of enterprises already ‘get it’! Another 60 percent are ready for that message but are not fully on board … and the remaining 20 percent are still back in the mindset that risk management is an inhibitor. 17/10/2011 2nd IT GRC Meeting 25
  • 26. Q&A Luís Martins luis.martins@glintt.com 17/10/2011 2nd IT GRC Meeting 26