Significant opportunities remain for organizations to continue to strengthen their approaches to identifying and assessing key risks. This program will provide an overview of Enterprise Risk Management (ERM) best practices and current emerging risks that should be on your radar for 2018.
Watch the complete webinar here: https://aronsonllc.com/c-suites-guide-to-enterprise-risk-management-and-emerging-risks/?sf_data=all&_sft_insight-type=on-demand-webinar
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
COSO, which has provided global thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence for over three decades, recently released a draft update to the original COSO ERM Framework. This framework is widely used by organizations to enhance their ability to manage uncertainty, gauge risk, and increase stakeholder value. However, significant new risks have emerged since the Framework was released, demanding heightened board awareness and oversight of risk management, as well as improved risk reporting. For those organizations exploring ESRM – these themes will be strikingly familiar and the lessons learned, highly relevant.
Presentation by: Bob Hirth, Global Chairman of COSO.
Governance Culture & Incentives- Fundamentals of Operational RiskAndrew Smart
Governance, Culture & Incentives. -Fundamentals of Operational Risk. This presentation provides some practical tools to answer three key questions and create alignment.
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
The webinar covers:
• The start of any Enterprise Risk Management Program
• The approach to developing a framework that will assist organizations to integrate RM into their enterprise-wide risk management systems
• The relationship between the foundations of the risk management framework and their objectives
Presenter:
This webinar was presented by M. Youssef K, an executive consultant & trainer with several qualifications. He is an accomplished expert with over 10 years’ experience in the field of risk management, project and program management, PRINCE 2, Agile, EVM, business process analysis and design, as well as operational and organizational excellence.
Link of the recorded session published on YouTube: https://youtu.be/9fO-JqENL0I
Enterprise Risk Management and SustainabilityJeff B
An overview of our endeavors at implementing ISO 31000 enterprise risk management and the importance of establishing good risk culture within the company.
Strategic Risk Management as a CFO: Getting Risk Management RightProformative, Inc.
Video & Presentation: http://www.proformative.com/events/strategic-risk-management-cfo-getting-risk-management-right
Enterprise Risk Management should be simple. Unfortunately, companies are responding to regulators and business imperatives to improve their risk management practices, all the while aligning with business strategy and performance as well as capital allocation. Leading practitioners are seeking insight and value from risk management and are using risk management to focus audit and compliance activities. In fact independent research commissioned by SAP and others suggests many successful ERM initiatives still make little use of the increasingly sophisticated technology available. This session will summarize recent research by SAP and others on the state of ERM and will provide simple, practical strategies for how Finance can drive risk management practices that build success and add value.
Speakers:
Bob Tizio, GRC Officer-Americas, SAP America Inc.
Bruce McCuaig, Director, Solution Marketing for Governance Risk & Compliance, SAP
Presentation delivered at CFO Dimensions 2013 - http://www.cfodimensions.com
Track: Finance Technology | Session: 5
Integrating Strategy and Risk ManagementAndrew Smart
"A Holistic Approach to Managing Risk amidst Global Uncertainty"
The RMA/Cass Business School
10–14 February 2013
Advanced Risk Management Programme
Organised by Andrew Smart & Nicholas Hawke
In today’s fast-moving, complex environment, risk executives must cultivate an understanding across all risks and businesses. Business problems are multifaceted, interrelated, and increasingly global. Executives must possess enhanced skills to identify and address a wide range of risks with an integrated approach and enterprise-wide perspective.
The RMA/Cass Advanced Risk Management Programme, led by the faculty at Cass, one of the UK’s top business schools, exposes participants to a rigorous, yet inspiring blend of theory, practice and cutting-edge research, instilling knowledge and skills applicable to the real world of global business. In addition to its focus on the known and quantifiable risks of credit, market, and operational, the programme concentrates on the unknowable and difficult to measure risks, including business, strategic, and reputation. Cass has excellent links to the City of London firms and institutions and is able to complement Cass faculty with guest faculty and senior level business practitioners, considered by their peers to be industry thought leaders
Areas of focus for The RMA/Cass Advanced Risk Management Programme include:
• Risk management as a strategic competitive strength
• An integrated approach to risk management
• Fostering a culture and climate that openly communicates risk
• A framework for rapidly responding to known risks and unraveling the complexities of the unknown
• A focus on risk informed by global perspectives.
Shaping Your Culture via Risk Appetite Andrew Smart
Andrew Smart will briefly explain risk appetite and how it can be linked into the overall strategy and risk management process of an organisation. He will then go on to clarify how Risk Appetite statements work alongside Vision statements; creating the right ‘tone from the top’, and how that can be cascaded through the organisation in the form of Risk Tolerances and KRI's. The webinar will conclude with a demonstration of how to enable and embed change, leveraging your SharePoint investment.
Please contact andrew.smart@stratexsystems.com for more details about the presentation or to have a talk about our software solutions.
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
COSO, which has provided global thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence for over three decades, recently released a draft update to the original COSO ERM Framework. This framework is widely used by organizations to enhance their ability to manage uncertainty, gauge risk, and increase stakeholder value. However, significant new risks have emerged since the Framework was released, demanding heightened board awareness and oversight of risk management, as well as improved risk reporting. For those organizations exploring ESRM – these themes will be strikingly familiar and the lessons learned, highly relevant.
Presentation by: Bob Hirth, Global Chairman of COSO.
Governance Culture & Incentives- Fundamentals of Operational RiskAndrew Smart
Governance, Culture & Incentives. -Fundamentals of Operational Risk. This presentation provides some practical tools to answer three key questions and create alignment.
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
The webinar covers:
• The start of any Enterprise Risk Management Program
• The approach to developing a framework that will assist organizations to integrate RM into their enterprise-wide risk management systems
• The relationship between the foundations of the risk management framework and their objectives
Presenter:
This webinar was presented by M. Youssef K, an executive consultant & trainer with several qualifications. He is an accomplished expert with over 10 years’ experience in the field of risk management, project and program management, PRINCE 2, Agile, EVM, business process analysis and design, as well as operational and organizational excellence.
Link of the recorded session published on YouTube: https://youtu.be/9fO-JqENL0I
Enterprise Risk Management and SustainabilityJeff B
An overview of our endeavors at implementing ISO 31000 enterprise risk management and the importance of establishing good risk culture within the company.
Strategic Risk Management as a CFO: Getting Risk Management RightProformative, Inc.
Video & Presentation: http://www.proformative.com/events/strategic-risk-management-cfo-getting-risk-management-right
Enterprise Risk Management should be simple. Unfortunately, companies are responding to regulators and business imperatives to improve their risk management practices, all the while aligning with business strategy and performance as well as capital allocation. Leading practitioners are seeking insight and value from risk management and are using risk management to focus audit and compliance activities. In fact independent research commissioned by SAP and others suggests many successful ERM initiatives still make little use of the increasingly sophisticated technology available. This session will summarize recent research by SAP and others on the state of ERM and will provide simple, practical strategies for how Finance can drive risk management practices that build success and add value.
Speakers:
Bob Tizio, GRC Officer-Americas, SAP America Inc.
Bruce McCuaig, Director, Solution Marketing for Governance Risk & Compliance, SAP
Presentation delivered at CFO Dimensions 2013 - http://www.cfodimensions.com
Track: Finance Technology | Session: 5
Integrating Strategy and Risk ManagementAndrew Smart
"A Holistic Approach to Managing Risk amidst Global Uncertainty"
The RMA/Cass Business School
10–14 February 2013
Advanced Risk Management Programme
Organised by Andrew Smart & Nicholas Hawke
In today’s fast-moving, complex environment, risk executives must cultivate an understanding across all risks and businesses. Business problems are multifaceted, interrelated, and increasingly global. Executives must possess enhanced skills to identify and address a wide range of risks with an integrated approach and enterprise-wide perspective.
The RMA/Cass Advanced Risk Management Programme, led by the faculty at Cass, one of the UK’s top business schools, exposes participants to a rigorous, yet inspiring blend of theory, practice and cutting-edge research, instilling knowledge and skills applicable to the real world of global business. In addition to its focus on the known and quantifiable risks of credit, market, and operational, the programme concentrates on the unknowable and difficult to measure risks, including business, strategic, and reputation. Cass has excellent links to the City of London firms and institutions and is able to complement Cass faculty with guest faculty and senior level business practitioners, considered by their peers to be industry thought leaders
Areas of focus for The RMA/Cass Advanced Risk Management Programme include:
• Risk management as a strategic competitive strength
• An integrated approach to risk management
• Fostering a culture and climate that openly communicates risk
• A framework for rapidly responding to known risks and unraveling the complexities of the unknown
• A focus on risk informed by global perspectives.
Shaping Your Culture via Risk Appetite Andrew Smart
Andrew Smart will briefly explain risk appetite and how it can be linked into the overall strategy and risk management process of an organisation. He will then go on to clarify how Risk Appetite statements work alongside Vision statements; creating the right ‘tone from the top’, and how that can be cascaded through the organisation in the form of Risk Tolerances and KRI's. The webinar will conclude with a demonstration of how to enable and embed change, leveraging your SharePoint investment.
Please contact andrew.smart@stratexsystems.com for more details about the presentation or to have a talk about our software solutions.
A new emphasis on enterprise risk management from regulators has heightened awareness among bankers to get educated and adopt these best practices at their institution. In response to this increased focus, the RMA ERM Council developed the ERM framework and associated competencies, which became the foundation for a series of highly practical workbooks for implementing effective ERM.
The underlying premise of enterprise risk management is that the Company exists to provide value for its stakeholders – customers, employees, and shareholders. Like any business, every Company faces some uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables senior management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. These capabilities inherent in enterprise risk management help management achieve the Company’s performance and profitability targets, and minimize loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the Company’s reputation and associated consequences. In sum, enterprise risk management helps the Company get to where it wants to go and avoid pitfalls and surprises along the way. Enterprise risk management encompasses:
• Aligning Risk Appetite and Strategy
• Enhancing Risk Response Decisions
• Reducing Operational Surprises and Losses
• Identifying and Managing Multiple and Cross-Enterprise Risks
• Seizing Opportunities
• Improving Deployment of Capital
• Leveraging Talent, Structure, Process, and Capital
Integrating Risk into your Balanced Scorecard Andrew Smart
Pulling together into a single framework the two separate disciplines of strategy management and risk management, and how it is possible to integrate it with Balanced Scorecard. This presentation provides a practical guide for organizations to shape and execute sustainable strategies with full understanding of how much risk they are willing to accept in pursuit of strategic goals.
Please contact andrew.smart@stratexsystems.com for more details about the presentation or to have a talk about our software solutions.
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB
The webinar covers:
• Overview of ISO 31000 and how this standard implies threats but opportunities as well
• Risk-based thinking as an integral part of ISO 9001:2015 and ISO 14001:2015
• Principles, processes and framework of ISO 31000
• How organizations can reduce uncertainty, seize opportunities and treat risks
Presenter:
This session will be presented by PECB Trainer Jacob McLean, Principal Consultant and Managing Director of Kaizen Training & Management Consultants Limited.
Link of the recorded session published on YouTube: https://youtu.be/MVBMM6X3Vgw
Enterprise Risk Management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings.
Enterprise Risk Management expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and other risks.
In recent years, external factors have fueled a heightened interest by organizations in ERM.
Industry and government regulatory bodies, as well as investors, have begun to scrutinize companies' risk-management policies and procedures.
In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk-management processes in the organizations they administer.
Since they thrive on the business of risk, financial institutions are good examples of companies that can benefit from effective ERM.
Their success depends on striking a balance between enhancing profits and managing risk.
In order for any enterprise to properly, effectively, and prudently manage their future growth, Business Strategy needs to be sustained by modern Enterprise Risk Management (ERM) principles and practices.
The Enterprise Risk Management discipline is not anymore a separate management profession or kinky management way, but rather it is a core competency that all organizations and executives must have in this Global Age. It should be a way of life for all.
A corporation must have social acceptance to survive and grow.
The society’s expectations change through:
1.- Changing population mix.
2.- Changing values and orientations.
Business performance changes through
1.-Economic, competitive, and structural conditions.
2.- Regulatory constraints.
3.- Futuristic, Long Term orientation.
4.- Leadership style
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
IFAC Senior Technical Manager Vincent Tophoff presentation during the Institute of Chartered Accountants of Pakistan's CFO Conference 2013, CFO: Meeting Future Challenges! Mr. Tophoff discusses current trends and thinking in risk management and best practices.
Five lines of assurance a new paradigm in internal audit & ermDr. Zar Rdj
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes.
A new emphasis on enterprise risk management from regulators has heightened awareness among bankers to get educated and adopt these best practices at their institution. In response to this increased focus, the RMA ERM Council developed the ERM framework and associated competencies, which became the foundation for a series of highly practical workbooks for implementing effective ERM.
The underlying premise of enterprise risk management is that the Company exists to provide value for its stakeholders – customers, employees, and shareholders. Like any business, every Company faces some uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables senior management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. These capabilities inherent in enterprise risk management help management achieve the Company’s performance and profitability targets, and minimize loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the Company’s reputation and associated consequences. In sum, enterprise risk management helps the Company get to where it wants to go and avoid pitfalls and surprises along the way. Enterprise risk management encompasses:
• Aligning Risk Appetite and Strategy
• Enhancing Risk Response Decisions
• Reducing Operational Surprises and Losses
• Identifying and Managing Multiple and Cross-Enterprise Risks
• Seizing Opportunities
• Improving Deployment of Capital
• Leveraging Talent, Structure, Process, and Capital
Integrating Risk into your Balanced Scorecard Andrew Smart
Pulling together into a single framework the two separate disciplines of strategy management and risk management, and how it is possible to integrate it with Balanced Scorecard. This presentation provides a practical guide for organizations to shape and execute sustainable strategies with full understanding of how much risk they are willing to accept in pursuit of strategic goals.
Please contact andrew.smart@stratexsystems.com for more details about the presentation or to have a talk about our software solutions.
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB
The webinar covers:
• Overview of ISO 31000 and how this standard implies threats but opportunities as well
• Risk-based thinking as an integral part of ISO 9001:2015 and ISO 14001:2015
• Principles, processes and framework of ISO 31000
• How organizations can reduce uncertainty, seize opportunities and treat risks
Presenter:
This session will be presented by PECB Trainer Jacob McLean, Principal Consultant and Managing Director of Kaizen Training & Management Consultants Limited.
Link of the recorded session published on YouTube: https://youtu.be/MVBMM6X3Vgw
Enterprise Risk Management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings.
Enterprise Risk Management expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and other risks.
In recent years, external factors have fueled a heightened interest by organizations in ERM.
Industry and government regulatory bodies, as well as investors, have begun to scrutinize companies' risk-management policies and procedures.
In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk-management processes in the organizations they administer.
Since they thrive on the business of risk, financial institutions are good examples of companies that can benefit from effective ERM.
Their success depends on striking a balance between enhancing profits and managing risk.
In order for any enterprise to properly, effectively, and prudently manage their future growth, Business Strategy needs to be sustained by modern Enterprise Risk Management (ERM) principles and practices.
The Enterprise Risk Management discipline is not anymore a separate management profession or kinky management way, but rather it is a core competency that all organizations and executives must have in this Global Age. It should be a way of life for all.
A corporation must have social acceptance to survive and grow.
The society’s expectations change through:
1.- Changing population mix.
2.- Changing values and orientations.
Business performance changes through
1.-Economic, competitive, and structural conditions.
2.- Regulatory constraints.
3.- Futuristic, Long Term orientation.
4.- Leadership style
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
IFAC Senior Technical Manager Vincent Tophoff presentation during the Institute of Chartered Accountants of Pakistan's CFO Conference 2013, CFO: Meeting Future Challenges! Mr. Tophoff discusses current trends and thinking in risk management and best practices.
Five lines of assurance a new paradigm in internal audit & ermDr. Zar Rdj
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes.
Mastering Information Technology Risk ManagementGoutama Bachtiar
This is the presentation slide as part of the courseware utilized when delivering Information Technology Risk Management training - workshop on May 2013.
Discussion of reputation risk and how to incorporation reputation management into a business in order to build resiliency and growth. Presented at the 3rd International Reputation Management Conference in Istanbul, Turkey, in November 2014
Татьяна Будишевская
Старший менеджер Deloitte
Современная методика оценки культуры управления рисками в организации
Практические инструменты внедрения риск-культуры
Third-Party Risk Management: Implementing a StrategyNICSA
Two Part Series: Part I of II
Third-Party Risk Management: Implementing a Strategy
Sleep Better at Night: Learn techniques to manage risks associated with third-party relationships.
Aligning strategy decisions with risk appetite
Presented by David Shearer
Monday 10th October 2016
APM North West branch and Risk SIG conference
Alderley Park, Cheshire
Building trust means managing both the conditions and consequences of reputation risk. This presentation looks at how to integrate reputation management and reputation risk into the enterprise, across functions.
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
Allocating Direct and Indirect Costs for NonprofitsAronson LLC
Overhead and G&A are part of the cost of doing business. Nonprofits need to know how to present their programs in a way that represents the true picture of what goes into conducting the program.
By watching this webinar, your organizations will learn how to identify indirect cost methods and cost drivers for allocating an indirect cost pool across programs. Our nonprofit expert Carol Barnard discusses joint cost and how it can help you present your fundraising costs more accurately as well as what you need to do in order to have costs that qualify for this allocation.
Watch the complete webinar on our website: https://aronsonllc.com/allocating-direct-indirect-costs-for-nonprofits/
To Bid or Not to Bid, That Is the QuestionAronson LLC
Companies will learn a step-by-step process that will help them determine the right time to pursue an opportunity. Viewers will walk away with proven techniques and strategies for making effective bid/no-bid decisions. These tips, if followed, will help companies invest in the right bid and proposal opportunities where the likelihood of capture is greater.
Watch the complete webinar on our website: https://aronsonllc.com/to-bid-or-not-to-bid-that-is-the-question/?sf_data=all&_sf_s=to+bid
Webinar: Understanding Business Tax Returns - A Case Study for Family LawyersAronson LLC
Join Aronson LLC experts Stuart Rosenberg and Sal Ambrosino for an informative webinar as they walk you through the basics of business returns. Stuart and Sal will show you how the choice between Corporation, S Corporation, or partnerships can effect reporting for very similar businesses.
Who should attend this webinar?
Family lawyers wishing to understand the basics of business income tax returns and the valuable information they contain.
Learning Objectives:
-Common tax forms for all business income tax returns
-The basic business income tax returns
-Where to find key information quickly
-How the different entities report owners’ compensation
-How the choice of entity effects the owners’ tax burden
Virginia Businesses: STOP Overpaying Local BPOL Tax\Aronson LLC
Join Aronson tax experts Michael L. Colavito, Jr. and Grant Patterson as they guide you in determining if your business is paying too much in Virginia local business license tax, also known as BPOL tax. Each year taxpayers oftentimes misinterpret “out-of-state deductions” and the common deductions and exclusions related to BPOL tax. With the Supreme Court of Virginia weighing in on the “out-of-state” deduction in 2015 and regulations on the horizon, many taxpayers are discovering that they have been making significant overpayments in BPOL tax.
By the end of this webinar, participants will:
-Have an understanding of the BPOL tax;
-Recognize the common deductions and exclusions available to taxpayers;
-Determine if the “out-of-state” deduction is available to a taxpayer;
-Compute the out-of-state deduction; and
-Know what to expect if they decide to file a refund claim with a locality.
Who should watch this webinar?
The topics discussed are particularly relevant to members of the accounting and finance departments for Virginia businesses providing services, such as:
-Government contractors
-Information technology companies
-Consulting businesses
Cybersecurity for Real Estate & ConstructionAronson LLC
Aronson’s Tech Risk Partner Payal Vadhani and Construction & Real Estate Partner Tim Cummins spoke at the AICPA’s Construction and Real Estate Conference on December 8-9, 2016 at the Wynn in Las Vegas, NV. Their presentation focuses on how construction contractors and real estate organizations can develop a scalable multi-year cybersecurity strategy. In order for a security culture to be present and truly effective, security awareness and engagement is required at every level of your organization. Payal and Tim’s multi-tiered foundational block approach coupled with governance and culture will provide you and your organization with a roadmap for success and a customized cybersecurity program based on the industry, business needs, regulatory requirements, and specific business and cyber risks.
Ready to Scale: Moving from Commercial to Government for Construction, Engine...Aronson LLC
Join Aronson LLC in our Ready to Scale Series for a presentation on doing business with the government with a focus on Construction, Facilities O&M and Engineering. Learn how to maximize your company’s potential by learning about cash management and bonding considerations, structuring your business to balance government and commercial work and more!
This presentation will help you understand your company's indirect rate structure, looking at yielding auditable rates that comply with Federal Regulations and structure competitive indirect rates.
Surviving the GSA Schedule Contractor Assessment: What They'll Test and How t...Aronson LLC
What's in a name? Plenty, when it comes to GSA Schedule compliance. That's because the former Contractor Assistance Visit is now called the Contractor Assessment. The shift from "assistance" and "visit" reflects the evolution of the review into a tougher test and the heightened compliance challenges facing GSA Schedule contractors.
Surviving this tougher assessment requires three things: First, you must not overlook the latest contract requirements. Sounds obvious, but many contractors are unaware how their responsibilities have changed. Second, you must have the right compliance systems in place. And third, you need to know what areas will be evaluated and what documentation you must be prepared to provide.
GSA Schedule experts from Aronson's Government Contract Services Group provide you with tips and best practices for making it through your next Contractor Assessment without having compliance mistakes lead to a negative outcome.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. 2
Melissa Musser, CPA, CITP, CISA
Director, Risk Advisory – Aronson LLC
Director at Aronson with 15 years of professional experience. Melissa delivers a
comprehensive best-in-class risk based audit approach to respond to financial,
compliance, operational & IT risks for small nonprofits to large global SEC
organizations. Areas of focus include but not limited to:
• Establishing, maintaining and optimizing internal controls and/or Sarbanes
Oxley 404 compliance programs.
• Planning, supervising and executing audits to ensure compliance with
policies and regulations and to monitor achievement of corporate
objectives.
• Developing and supporting Enterprise Risk Management and Internal Audit
programs
Prior to joining Aronson, Melissa spent eight years in public accounting as well as
five years as a manager of corporate and IT internal audit and risk management
for large global SEC organizations. Melissa has sat on numerous nonprofit
boards throughout her career and actively volunteers within her community. She
enjoys regularly sharing her knowledge with audiences as well having published
whitepapers on internal controls.
She has a Bachelor of Science Degree in Accounting with majors in both
Professional Accounting and Accounting Information Systems from the University
of Akron. She received a (PMBOK) Project Management Body of Knowledge
Certificate while there and also holds CPA, CITP and CISA (Certified Information
System Auditor) certifications.
240.364.2598
mmusser@aronsonllc.com
3. 3
Donna McPartland
Privacy, Cybersecurity & Data Protection Counsel - Arent Fox LLP
Donna is Counsel in Arent Fox's Privacy, Cybersecurity & Data Protection practice
group. Formerly Chief Privacy Official at the Graduate Management Admission
Council. At the core of Donna's practice, she draws from nearly 20 years of
experience in the testing, higher education, and nonprofit industries. Donna
works with a variety of clients on their global data privacy and information
security issues, developing privacy programs, advising on cross border data
transfers, developing privacy policies, privacy impact assessments, data
governance programs, navigating information security standards, and addressing
issues in advanced technologies, including biometrics. Donna also advises
nonprofits on their general counsel and transactional matters. Donna has
significant in-house experience that clients can rely on to help them with their
privacy and security matters. Experience includes:
• Global Privacy Program Development and Management (115 countries)
• Cross Border Data Transfer Requirements
• Direct Interaction with EU and other international data protection
authorities (DPAs)
• Privacy Impact Assessments (PIAs)
• Information Security including NIST, ISO, and SOC standards
• Cloud Computing, social media and new technologies
• Biometrics
• Research and Marketing
+202.350.3765 (Work)
donna.mcpartland@arentfox.com
4. 4
Derek Symer
Principal, Senior Vice President, AHT Insurance
Derek Symer, is an experienced Property & Liability Insurance Broker based in
AHT's DC Metro office. Derek focuses in the Nonprofit & Education sectors
including Associations, Think Tanks, NGOs and Educational Institutions including
private colleges and independent schools. In his work, Derek helps his clients
analyze their risk exposures and devise targeted risk transfer and mitigation
strategies to improve their total cost of risk. Within this work, Derek has
particular expertise in Directors & Officers Liability, Cyber Liability, Employment
Practices Liability, Media & Publishers Liability, Event Cancellation, and
International coverage.
In 2005, Derek co-founded the Business Managers Roundtable, a networking and
educational forum for business officers of private & independent schools. Derek
and AHT are members of the National Business Officers Association (NBOA),
American Society of Association Executives (ASAE), and Greater Washington
Society of Certified Public Accountants (GWSCPA).
AHT has been recognized by Business Insurance as a Best Place to Work in
Insurance.
+703.669.1121 (Work)
DSymer@ahtins.com
5. 5
Highlights & Objectives
• Understand the importance of a Enterprise Risk Management
• Identify Risks to your mission / objectives / strategic plan
• Evaluate the likelihood and impact of risks
• Learn about emerging risks and best practices in mitigation
• Assess the overall risk & develop a practical response
6. 6
Purpose
To provide a summary of potential events that may affect your organization and manage
risks to provide reasonable assurance regarding the achievement of your mission and
objectives.
E
R
M
nterprise
isk
anagement
7. 7
Why is ERM on the Rise?
• Regulator demands
• Unanticipated risk events affecting the
organization
• Emerging best practice expectations
• Emerging corporate governance requirements
• Board of Director requests
http://www.aicpa.org/interestareas/businessindustryandgovernment/resources/erm/downloadabledocuments/aicpa_erm_research_study_2017.pdf
8. 8
Why is this Important?
It is a proven methodology to capture your risks and visually rank them
so your organization can make informed decision on how to spend your
budget dollars.
Priorities
13. 13
Building a Framework
Things to consider when building your framework
– Framework – ISO vr COSO
– Where to Start – Full rollout? Phased approach?
– What Model to implement- Risk factor vrs objectives
based?
– ERM Organizational position - CRO, CAE, Risk Manager,
Risk Committee?
17. 17
Risk Event Identification Techniques
May include a combination of different types
of techniques combined with supporting
tools:
– Event Inventories
– Internal Analysis & Surveys
– Process Flow Analysis
– Current Events
– Facilitated Workshops and Interviews
19. 19
Methods to Rank Risk
Qualitative
A qualitative analysis would use a scale of "Low, Medium, High" to indicate the
likelihood of a risk event occurring.
Quantitative
A quantitative analysis will determine the probability of each risk event occurring.
For example, Risk #1 has an 80% chance of occurring, Risk #2 has a 27% chance of
occurring, and so on.
Our discussion will focus on qualitative analysis
20. 20
Develop Risk Analysis Matrix
Develop a risk mapping for impact and likelihood to help determine which risks need risk
response. For example:
21. 21
Types of Risk Impact
In order to align discussions around why risk are significant and what should be done about them, you
should consider dividing your analysis in to types of impact:
Strategic
Causes a strategic objective
to fail
Financial
Incurs unanticipated costs or
reduces revenues
Operational
Affects the quality or
efficiency of how work gets
done
Environmental,
Health and Safety
Jeopardizes staff,
volunteers or
others’ well-being
Technology
Exposes application,
data, operating systems, network or
infrastructure to inappropriate
access/change
Legal
Triggers arbitration
or litigation against
your organization
Reputation
Creates negative
media attention
24. 24
Determine Risk Mitigation
Reduce / Mitigate risk
Activities with a high
likelihood of occurring,
but impact is low.
Eliminate / Avoid risk
Activities with a high
likelihood of loss and high
impact.
Share / Transfer risk
Activities with low
likelihood of occurring,
but with a high impact.
Accept risk
If cost-benefit analysis
determines the cost to
mitigate risk is higher than
cost to bear the risk.
25. 25
• Risk transfer involves moving risk to 3rd party via
contractual arrangement
• Insurance is most common Risk Transfer
mechanism
• Outsourcing: risk transfer financial offset – pre
incident assessment planning. loss control
property/cyber penetration testing.
Risk mitigation - Insurance
27. 27
Example Category - Personnel/Volunteers Risk
• Injury at work
• Cause your organizations client injury
• Harm reputation of your organization
• High turnover
• Triggers a cyber security incident
28. 28
Example Category - Financial Risk
• Inaccurate and/or
insufficient financial
information
• No financial planning
(budgeting)
• Lack of financial liquidity
• Poor pricing policy (e.g.,
overpriced activities in
grant applications)
• Excessive indebtedness
• FX losses
• Financial fraud
• High transactional costs
• Inadequate maintenance of
long-term sources of funding
• Inadequate reserves and
cash flow
• Dependence on a low
number of revenue sources
• Inadequate investment policy
• Inadequate insurance
coverage
• Funds used against the intent
of donor/grantor
29. 29
Example Category - Operational Risk
• Not enough beneficiaries
• Not enough well-trained
Personnel
• Uncertainty about
security of assets
• Competition from other
organizations
• Dependence on suppliers
(their strong bargaining
power)
• Ineffective fundraising
system
• Lack of formalized
procedures
• Inefficient and ineffective
IT system
• Implementing activities
in a dangerous
environment
• Natural disaster, fire,
flood, theft
• Deviation from core
mission “in search of”
funding sources
30. 30
Example Category - Management
• Inadequate organization
structure
• Management lacks
adequate experience or
not well organized
• Management dominated
by individual leaders
• Resignation of key
personnel
• Conflict of interest
• Ineffective
communication System
• No direction, strategy,
and plans
31. 31
Example Category - Grant Risk
• Delays in disbursement
• Lack of knowledge and skills to utilize the awarded
grant
• Changes in environment preventing utilization of the
awarded grant
• Undervalued contract
32. 32
Emerging Risks: Privacy / GDPR
Are you ready for the General Data Protection
Regulation (GDPR)? GDPR is the most
important change in privacy in 20 years taking
effect May 25, 2018.
In the future, aspects of the European GDPR
are likely to find their way into other regulation
as well, organizations should start to prepare
their policies and procedures for this.
34. 34
What is the GDPR?
European Union’s new framework for data protection law replaces the 1995 Directive
One Stop Shop – EU “main establishment” of controller works with Lead Supervisory Authority
Application to Companies Worldwide - Simply offering products to and/or collecting data about
persons in the EU is enough for the law to apply- Applies to Data Controllers and Data Processors
Effective Date – May 25, 2018
35. 35
What is the GDPR? (cont’d)
Principle Based – Purpose limitation, data minimization, accuracy, storage limitation, integrity and
confidentiality, accountability
Lawful Basis Required for Processing Personal Information
Greater Protections and Rights to Individuals in the EU
Privacy Information must be clearly communicated
Data Protection Officers (regular and systematic monitoring on a large scale, or sensitive data, or public
body); Associations representing categories of controllers MAY designate a DPO for their Controllers
Appropriate security of Personal Data
36. 36
GDPR: Penalties, Complaints, Reputation
Penalties
• 20 million euro or up to 4% of total worldwide annual turnover,
whichever is higher
• Member States can impose additional fines not covered by Art. 83
Complaints/Investigations
Reputational Consequences
37. 37
GDPR applies……
• offering or providing goods
or services - even if no
payment is required
• monitoring individuals in
person or online
When a
company
processes an EU
data subject’s
information if
the processing
is related to:
38. 38
GDPR does not apply…
If the data does NOT relate
to an identified or
identifiable natural person
or if the data is rendered
anonymous in such a way
that the data subject is no
longer identifiable. (e.g.
fully anonymized data – no
identifiers; research report
that only includes statistical
information with no
identifiers)
What about pseudonymous
data?
•Pseudonymization is the
separation of data from direct
identifiers so that linkage to an
identity is not possible without
additional information that is held
separately. GDPR promotes the
use of this.
39. 39
GDPR: Controllers and Processors
Controller: company that alone or jointly with others determines
the purposes and means of processing of personal data
Joint Controller: When two or more controllers determine the
purposes and means of processing
Processor: processes data on behalf of the controller
40. 40
GDPR: Processing
Any operation which is
performed on personal
data such as collection,
storage, use, disclosure
by transmission,
dissemination or
otherwise making
available, erasure or
destruction.
Examples: processing
hotel room or
conference registrations
Selling books or online
courses
41. 41
GDPR: What is Personal Data?
"Personal data" is any
information which relates
to a living individual who
can be identified:
• From that information
• From that information
combined with other
information held or
likely to come into the
possession of the
company
Name
Postal or work or email address
Phone number
ID numbers (e.g. passport, license)
Location data (usually from devices)
Bank account details
Expressions of opinion
Photographs, sound recordings, film
IP addresses
Information stored in cookies or
similar technologies
Training records
Examples
42. 42
GDPR: What is Sensitive Data?
“Sensitive data requires special
handling, higher protections
Not specifically defined under
the GDPR so Member States
can regulate further
GDPR prohibits their
processing unless exemptions
are in place: explicit consent,
employment obligations, etc.
Biometric data
Health and genetic data
(allergies)
Employment data
Criminal convictions
Racial or ethnic data
Political opinions
Religious or philosophical
Trade-union membership
Sex life or sexual orientation
Examples
43. 43
Data Subject Rights
Increased transparency and creating new rights. Right to Access, Right
to be Forgotten, Data Portability1
Consent
Consent for processing must be freely given, specific, informed and
unambiguous. Strict Requirements – see Art. 29 WP Guidance2
Data Processors and
controllers
More contract requirements to be flowed by controllers to processors
(data processing agreements)
Data Protection by
Design (DPbD)
DPbD is about ensuring that privacy is embedded throughout the
organization and being able to demonstrate compliance to regulators
4
Cross-Border
Transfers
This privacy-compliant cross-border data transfer strategy must
have “adequate protections”5
Data Breach
Notifications
Controllers required to notify competent supervisory authority
and, in certain cases, also to affected data subjects.
Generally within 72 hours.
6
3
GDPR: Key Changes
44. 44
GDPR: Security Requirements
Flexible requirement that takes into account several factors: (1) state of the
art; (2) implementation costs; (3) nature, scope, context and purposes of
processing; (4) risk of varying likelihood and severity for the rights and freedoms
of natural persons
Breach notification requirement: 72 hours or without undue delay
Specific callouts for: encryption, pseudonymization, backups, procedures for
regularly testing/assessing/evaluating effectiveness of security measures
45. 45
Document:
Privacy Policy
Security Policies
Breach Response Plan
Document Retention Plan
Monitor & Enforce:
Encourage
Communication
Make Good Conduct Visible
Manage Employee Error
Processes:
Determine Systems tied to
Data
Employee Outreach
Collaboration
Training
GDPR: What Companies Can Do To Comply?
Organization:
• Assemble Your Team
• Roles & Responsibilities
• Know your data
• Security Obligations
46. 46
GDPR: Data Governance
• Policies – data governance policy with data
classification scheme
• Processes – roadmaps for determining governance
steps
• Data Mapping and Inventory – required to
document all data processing activities in lieu or
notifications/approvals to DPAs
• Vendor Management – who has data, where is it,
and how managed
Data
Governance
47. 47
GDPR: Contracts for Using Processors
Processor must provide contractual guarantees that they use data
security technology and methods that meet GDPR
Gap analysis and legal review of contracts and determine if
amendments need to be made to meet GDPR requirements
Make amendments in order to continue using Processor in
compliance with new requirements
48. 48
GDPR: Data Transfers
Only one part of GDPR compliance – still many other compliance
requirements
Options – need to have “adequate data privacy protections”
• Standard Contractual Clauses
• Privacy Shield - Not for Trade Associations, Other nonprofits, No Banks (must have FTC
jurisdiction)
• Binding Corporate Rules (GDPR gold standard, but complex)
• Country deemed by EU as having “adequate protections” (Argentina, Canada, Israel, New
Zealand, Switzerland, Uruguay - NOT US)
49. 49
GDPR: Standard Contractual Clauses
What are
Standard
Contractual
Clauses?
Pre-approved contractual language to be incorporated into
agreements, unchanged.
Two sets of standard contractual clauses for transfers from data
controllers to data controllers established outside the EU/EEA
and one set for the transfer from controllers to
processors established outside the EU/EEA.
50. 50
GDPR: Data Transfer Exceptions
Consent – must be informed, explicit, more complex under GDPR
Contract – must be necessary for performance or conclusion of a contract or
implementation of pre-contractual measures taken at the data subject's request
Public interest
Legal claims - necessary for the establishment, exercise, or defense of legal claims
Vital interests – necessary to protect the vital interests of data subject or of other persons
(if data subject is physically or legally incapable of giving consent)
51. 51
Emerging Risks: Culture and Conduct
“It takes 20 years to build a reputation, and
five minutes to ruin it. If you think about that,
you’ll do things differently.”
-Warren Buffett
52. 52
Culture and Conduct Risk: Recent Examples
For-Profit
World
Wells Fargo – Banking Scandal
Volkswagen – Emissions Scandal
Individuals Harvey Weinstein
Matt Lauer
Others
Non-Profit
World
Hotchkiss – Tick-Bite = $41 million
NRA
OXFAM
53. 53
Culture & Conduct Risk: Tone from the Top
Ensure cultural values are reflected in the organization’s:
Strategy
Risk
appetite
Compliance
frameworks
ACTIONS
54. 54
Culture & Conduct Risk: Independent Assurance
Organizations should demonstrate due diligence by conducting
independent risk reviews / health checks over the following areas:
Strategy
Policies &
practices Training
Investigation
procedures
Review of
KPIs
55. 55
Emerging Risks: Third-Party
Fees and fines related to third-party risk may
be significant, the long-term brand and
financial impact of reputation loss can be
much worse. A third party engagement can be
ended, reputation loses are often far more
severe than any fine.
56. 56
Why Manage and Assess Third-Party Risks?
Third-Party Risk Examples
Cyber Security Intellectual Property
Theft
Manufacturing Quality
Control
Data Protection Safety / Occupational
Hazard
Money Laundering
Bribery and Corruption Political Exposure Social Responsibility
Fraud Wage and Hour
Violations
Conflict Minerals
57. 57
TPRM – Third Party Risk Management
• TPRM can reduce likelihood of:
data breach costs
operational failures
vendor bankruptcy
reputation damage
TPRM is the process of analyzing and mitigating risks to your
company by parties OTHER than your own company.
58. 58
TPRM Third-Party Stratification Example
• Critical vendors (10%) – PII + critical systems
Tier I
• Major vendors (40%) – PII OR critical systems
Tier 2
• Vendors (50%) – commodities/low risk
purchases
Tier 3
59. 59
TPRM Third Party Due Diligence Example
Due Diligence is the process by which the vendor is reviewed
to determine its suitability for a given task.
Risk Assessment
(Documentation,
Categories of Risk,
Financial
projections &
review
Insurance Review Background check
Legal Review
Vendor Audits
and/or SOC
reports
60. 60
ERM - Critical Success Factors
Obtain senior
management approval
and involvement
Designate committees or
individuals to champion
Develop Procedures
Involve business
and technical
experts
Formalize reporting to
leadership
61. 61
Develop ERM Procedures
Who is responsible for initiating and conducting risk assessments
Who will participate
What steps will be followed
How disagreements will be handled and resolved
What approvals will be needed
How assessments will be documented
How documentation will be maintained
62. Use risk assessment criteria to
prioritize risks – identify the most
significant risks to the organization
Mitigation Plans
1
Identify risk mitigation plans for top
10 most significant risks
2 Risk assessment criteria
4
Updated Risk
Universe
• Enterprise Universe
• Survey Results
Formalize Risk Reporting
3 Prioritized risk heat map
Here it is in simple terms - End goal providing the board with the top 10 to 20 enterpirse wide risks identified and the plan to approach the risk
but in realtity so much more is happening when you impliemtn ERM – by preforming these exercises to gather and assess risks it assist in creating a culture developed around risk-aware / risk consious decision-making throughout the organization. Invaluable! It changes the cuture.
6 Fundamental benefits of elevating risk management to a strategic level
Reduce unacceptable performance variables
Align and integrate varying views of risk management (eliminate silos)
Build confidence of investment community and stakeholders
Enhance corporate governance
Successfully respond to a changing business environment
Align strategy and corporate culture
ERM is a structured, consistent and continuous risk management process that is applied systematically across the entire organization. ERM drives value by:
Proactively identifying, assessing, and prioritizing significant risks
Developing and deploying effective mitigation strategies
Aligning with strategic objectives and business processes
Embedding key components into the organization’s culture:
Risk ownership, governance and oversight
Reporting and communications
Leveraging technology and tools
ERM is:
based on the Board’s and management’s expectations regarding acceptable levels of risk (“risk appetite”)
Melissa
So to continue with the theme of why this is important – last but not least – it helps you prioritize the already limited recourses that you have.
Helps with smart budgeting – you can allocate resources in your budget to hire certain skill sets, certain technologies to help mitigate risks.
Helps you be proactive rather than reactive
An understanding of the entity’s objectives is essential to the success of your ERM program.
Risks are defined as events that can prevent the achievement of objectives and are prioritized in risk assessments based in part on their impact to achieving objectives.
Collaboration Risk
Organization want to work internationally
Specific Example of those risks are provided in later slides
Note that the mitigation plan can be the next column for High risk and above
Transition to Derek
Note that we will go over risk examples and a deep dive on emerging risks – then will circle back to ERM critical success factors.
For-Profit World
Wells Fargo – Banking Scandal
Volkswagen – Emissions Scandal
Individuals
Harvey Weinstein
Matt Lauer
Others
Non-Profit World
Hotchkiss – Tick-Bite = $41 million
NRA
OXFAM
Consider annual board retreats where strategic plan is updated, enterprise risk management initiatives and townhall gatherings into your annual activities to ensure proper tone is conveyed from strategy to employee.
Top management should be the example, not the exception.
Ensure direct access to the leadership team is available and that there is a process in place for reporting culture, conduct and compliance issues.
Whistleblower and Non-retaliation policies - Consider creating a policy or reviewing your existing one for adequacy
Ensure that the organization incentives and/or internal promotions are linked to good conduct.
Demonstrate Due Dilligence.
Basic Employment Law
Interviewing Skills
Performance Reviews
Sexual Harassment
Supervisory Skills
Diversity and inclusion
Internaltional Travel – Due Dilligence
1. Soha Systems Survey on Third Party Risk Management notes that 63% of all data breaches can be attributed to a third party vendor.
2. Dependency on Vendors can create business continuity risks – Question to ask yourself is…If their services stopped would it interrupt our operations? (i.e. IT supplier or key role in the supply chain)?
3. Do your vendors interface with your financial systems? Synchronization risks can lead to a material misstatement.
Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle!
Assess your current environment
Develop a 3rd party framework based on your organizations context
Develop a risk stratification guidelines to highlight risks by vendor
Implement and conduct vendor assessments
Establish a reporting process
Competition is good. Don’t decide on a vendor too early in the process.
Best price does not equal best vendor, focus on meeting your requirements
Audit your process
Develop and document procedures for conducting risk assessments and develop templates and tools to facilitate and standardize the process
The procedures generally contain the following information:
How are risks communicated from the business unit leaders to senior executives?
Scheduled agenda discussion at management meetings
Written reports prepared either monthly, quarterly or annually