Uploaded byRamsés Gallego
From technology risk_to_enterprise_risk_the_new_frontier
The document discusses the evolution of risk management from focusing on technology risks to encompassing broader enterprise risks. It emphasizes the importance of understanding different types of risks, conducting risk analysis, and implementing a structured approach to risk management through defined processes. Key elements include risk transfer, tolerance, termination, treatment, and communication to align risk management with business objectives.
More Related Content
Similar to From technology risk_to_enterprise_risk_the_new_frontier
![Enterprise risk-mgmt[1]](https://cdn.slidesharecdn.com/ss_thumbnails/enterprise-risk-mgmt1-120905013017-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]](https://cdn.slidesharecdn.com/ss_thumbnails/codedagentsdeck-251215155422-5497c599-thumbnail.jpg?width=640&height=640&fit=bounds)
From technology risk_to_enterprise_risk_the_new_frontier
- 1. From Technology Risk to Enterprise Risk: The New Frontier Ramsés Gallego CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt General Manager Entel Security & Risk Management rgallego@entel.es 1
- 2.
- 3.
- 4. Definitions frontier noun • the farthermostlimits of knowledge or achievement in a particular subject • a line of division between things <the frontiers separating science and the humanities — R. W. Clark> • a new field for exploitative or developmental activity frontierless adjective ORIGIN late Middle English : from Old French frontiere, based on Latin frons, front- ‘front.’ 4
- 5. What is risk? • An inherent part of any ac3vity • Imprac3cal to eliminate totally • The risk equa3on includes: value, threats, vulnerabili3es, impact,... 5
- 6. Some facts • 36% of companies do not know the threats that they are exposed to • 24% admit that the organiza3on lacks the procedures that would allow to manage them • 19% acknowledge that does not have the tools to analyze and control risks Soruce: Merrill Lynch CISO Survey, Deloitte 2009 Security Survey 6
- 7. The changing faceof risk • Risk is the level of exposure to uncertain3es that an organiza(on must understand and manage effec(vely while performing its du3es to achieve objec3ves and create value • The uncertainty of an event happening (or not) can have an impact on the achievement of corporate goals 7
- 8. What type ofrisks are we facing? • Different categories: reputa3onal risk, project management risk, provisioning risk, HR risk, hygienic risk, fraud risk, legal risk, environmental risk, opera3onal risk, financial risk, TECHNOLOGY RISK, ... • Related to: – its origin – a specific ac3vity, an event or an incident – its consequences or impact – a reason – protec3on mechanisms or countermeasures – 3me of occurrence 8
- 9.
- 10. What can wedo with risk? • Transfer risk • Tolerate or accept • Terminate the ac3vity • Treat risk 10
- 11. Technology risk management • Part of Global Risk Management • Focused towards and efficient balance between opportuni3es and losses • Needs a risk analysis combined with a business impact analysis (BIA) 11
- 12. Implementing Risk Management • Five core processes: – Defini3on of scope – Risk analysis – Risk Treatment – Risk Communica3on – Monitor and review 12
- 13. Framework for arisk analysis • Start a value analysis • Consider aggregated risk 13
- 14. The Risk ITFramework 14
- 15.
- 16.
- 17. Risk Analysis • Can be quan3ta3ve or qualita3ve • Works at mul3ple levels • Visibility across the company • Management support is instrumental 17
- 18. The value ofassets • Value at Risk (VAR) • Single Loss Expectancy (SLE) • Annualized Loss Expectancy (ALE) • Exposure Factor (EF) 18
- 19. Risk Communication • Communica3on channels must be created • Mul3-‐dimensional • Related with incident & response management disciplines • Metrics and indicators 19
- 20.
- 21.
- 22.
- 23.
- 24. Alignment? with the business 24
- 25. What is acontrol? • An ac(on taken by Management in order to manage risk so that objec(ves are met • Preven3ve, Correc3ve and Detec3ve 25
- 26. CSFs, KGIs, KPIs:what are they? • CSFs: Critical Success Factors or “vital elements” • KGIs: Key Goals Indicators or “what” needs to be accomplished • KPIs: Key Performance Indicators or “how good” the process is behaving 26
- 27. Monitor vs. Manage R A GE ITO Refine, observe, MA N M ON analize and classify data Value (and cost) provided by Act with systems business knowledge, in a Centralize single place access to data Apply business relevance to the according to content and information to business needs applica3ons determine business priorities DATA INFORMATION KNOWLEDGE ACTION Level 1 Level 2 Level 3 Level 4 27
- 28.
- 29. Some examples... © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com 29
- 30. ...from the real world 30
- 31.
- 32. ...to what really maOers 32
- 33.
- 34.
- 35. THANK YOU Ramsés Gallego CISM, CGEIT, CISSP SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt , General Manager - Entel Security & Risk Management rgallego@entel.es 35