Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Beyond Compliance
Simone Wray
Head of Risk Management
IIRSM Conference 24 May 20181
Data Classification: Internal 2
The Challenge of Compliance in Practice
Data Classification: Internal 3
Stakeholder perception of risk and compliance?
6
And things still go wrong
What the drivers for going above and beyond?
Attitude to risk
9
Enterprise Risk Management
Needs to be understood in the context of what an organisation is trying to achieve rather than what
it wants to avoid.
Business Risk Matrix
Estimation of Impact
1
Manageable
2
Moderate
3
Serious
4
Critical
Finance<£500k £500k-£2.5m £2.5m-£7.5m >£7.5m
Company
Priorities
Minor change in
scope/outcome with
minimum impact.
Change in
scope/outcome with
minimum impact but
requires approval.
Change in
scope/outcome that
impacts priorities and
requires approval.
Change in
scope/outcome that
means a priority cannot
be delivered.
Project
Objectives
No change to business
case benefits.
Change to business
benefits of <£100k that
requires approval by the
Project Steering Board.
Change to business
benefits of >£100k that
requires approval by the
Avios Investment
Committee.
Change to business case
benefits and project is no
longer viable with
decision to stop by the
Avios Investment
Committee.
Compliance
Breach that can be
resolved internally.
Existing
policy/procedures found
to be adequate.
Breach that can be
resolved internally.
Existing
policy/procedures found
to be inadequate.
Breach that requires
notification to relevant
regulatory authority and
sanctions possible.
Breach that requires
notification to relevant
regulatory authority and
sanctions probable.
Knowledge of breach
likely to be public.
Stakeholder
Trust
Trust dented –
recoverable with time &
PR support.
Trust diminished -
recoverable with senior
management
intervention
Trust damaged -
recoverable with LT
overview
Trust lost –
LT priority action and/or
Board overview required
Risk Scoring
Imp
ac
t
4
Critical4 8 12 16
3
Serious3 6 9 12
2
Moderate2 4 6 8
1
Manageable1 2 3 4
1
Remote
2
Possible
3
Probable
4
Likely
Probability
Estimation of Probability
1
Remote
2
Possible
3
Probable
4
Likely
<25%Only expected to occur in
exceptional circumstances
25%-50%Not expected to occur but could
occasionally
50%-75%More likely to occur than not
>75%Expected to occur in most
circumstances
Risk Monitoring, Escalation and Reporting
High Risk
Active Management and Review• This should trigger a review of the existing
and planned controls
• The risk should be escalated and reported as
a key risk to the respective stakeholder group
Medium Risk
Control Critical• Review existing controls and aim to reduce
cause and/or effect in relation to the cost and
benefit.
• Review regularly
Low Risk Manageable• No further action required at this point.
• Review routinely
13
Significant Risks
Strategic
Project
Operational
Source: IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL
Combined Assurance Map
Source: KPMG
Everyone has a role to play
Homeworking – Case Study
DSE Compliance
18
Homeworking Model
19
Homeworking Model
Managing the homeworker
Definitions
Factors in deciding
whether an employee could work away from
the office
Considerations before an
employee starts working away from the office
Considerations for the
employee
Compliance is an opportunity not a problem
Data Classification: Internal20
Making any decision is about taking
risk and risk management is not about
no risk as much as
NO SURPRISES