03/06/2015 1 Presented by Anne Lalonde Consulting Introduction Learning Outcomes Definitions About Justice Canada’s Risk Profile of Information Resources Guideline Risk Statements & Examples Examples from other GoC Departments and Agencies Workshop Activities 1, 2, 3 (in groups) Monitor and Manage Risks Wrap-up and Evaluation At the end of this workshop, you will be able to identify risks to information resources, elaborate mitigation strategies, and monitor and manage these risks. KNOW YOUR RISKS! KNOW YOUR RISKS! KNOW YOUR RISKS! KNOW YOUR RISKS! Risk Profile of Information Resources A document that presents all the legal, regulatory, access to information, security of information, and protection of personal information risks, response protocols and mitigations strategies as they relate to an organization’s information resources. Versus Corporate Risk Profile A Corporate Risk Profile enables an organization to obtain an overview of its key risks including an understanding of the organization's operational context and objectives with respect to managing risk. Initiated in 2011-12-02 by A. Jolicoeur and revised by numerous stakeholders, e.g. LAC Approach: Review Key Documents & Conduct Interviews w/ Program Managers ◦ MAF results AoM 12 (IM) and AoM 8 (Security) ◦ Corporate Risk Profile, Security Plan, Audits, Report on Plans and Priorities ◦ IM Plans and RKAT ◦ Review Additional Resources Report from ATIP Tracking System Business Continuity Plan Interviews w/ Program Managers to confirm results and elicite other risks
5
Embed
ARMA NCR April 28 Risk Profile Presentation Anne Lalonde NCR April 28 Risk Profile... · revised by numerous stakeholders, e.g. LAC Approach: Review Key Documents & Conduct Interviews
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
03/06/2015
1
Presented by
Anne Lalonde Consulting
� Introduction
� Learning Outcomes
� Definitions
� About Justice Canada’s Risk Profile of Information Resources Guideline
� Risk Statements & Examples
� Examples from other GoC Departments and Agencies
� Workshop Activities 1, 2, 3 (in groups)
� Monitor and Manage Risks
� Wrap-up and Evaluation
� At the end of this workshop, you will be able to identify risks to information resources, elaborate mitigation strategies, and monitor and manage these risks.
KNOW YOUR RISKS!KNOW YOUR RISKS!KNOW YOUR RISKS!KNOW YOUR RISKS!
Risk Profile of
Information
Resources
A document that presents all the legal, regulatory, access to information, security of
information, and protection of personal information risks, response protocols and
mitigations strategies as they relate to an organization’s information resources.
Versus
Corporate
Risk Profile
A Corporate Risk Profile enables an organization to obtain an overview of its key risks including
an understanding of the organization's operational context and objectives with respect
to managing risk.
� Initiated in 2011-12-02 by A. Jolicoeur and revised by numerous stakeholders, e.g. LAC
� Approach: Review Key Documents & Conduct Interviews w/ Program Managers◦ MAF results AoM 12 (IM) and AoM 8 (Security)◦ Corporate Risk Profile, Security Plan, Audits, Report on
Plans and Priorities◦ IM Plans and RKAT◦ Review Additional Resources� Report from ATIP Tracking System
� Business Continuity Plan
� Interviews w/ Program Managers to confirm results and elicite other risks
03/06/2015
2
� Review MAF AoM 12 and AoM 8
� Review IM Evaluation and Performance Management Results
� Review Existing Risk Assessment Tools
� Evaluate Overall IM Environment
� Define Areas of IM Risks
� Risk Mitigation Assessment
� Apply Risk Level
� Complete Risk Profile Summary Report and Next Steps
What is a Risk Statement? What is a Risk Statement? What is a Risk Statement? What is a Risk Statement?
It is the expression of the likelihood and impactof an event with the potential to affect theachievement of an organization’s objectives.(Source: TBS Guide to Risk Statements)
Significant delays in retrieving records due to current tools for data storage and retrieval practices may leave the department unable to adequately respond to Access to Information requests and e–discovery exercises.
Improving records management processes and tools through investing in new technologies and liaising with organizations identified as having best practices may lead to more effective management and response to official requests.
The security of departmental networks and records could be seriously compromised if new standards are not implemented.
1 2 3
03/06/2015
3
� Using documents provided, identify 3 risks and debate these risks within your group.
� Using the “Risk and Mitigation WorksheetRisk and Mitigation WorksheetRisk and Mitigation WorksheetRisk and Mitigation Worksheet”, elaborate risk statements, risk drivers, potential consequences and mitigation strategies.
A.A.A.A. Risk Description (review documents and identify risks)Risk Description (review documents and identify risks)Risk Description (review documents and identify risks)Risk Description (review documents and identify risks)
B.B.B.B. Risk Drivers (describe the influencers of the risk)Risk Drivers (describe the influencers of the risk)Risk Drivers (describe the influencers of the risk)Risk Drivers (describe the influencers of the risk)
C.C.C.C. Potential Consequences (describe consequences if the risk Potential Consequences (describe consequences if the risk Potential Consequences (describe consequences if the risk Potential Consequences (describe consequences if the risk
is not addressed)is not addressed)is not addressed)is not addressed)
D.D.D.D. Current Mitigation Strategies (describe strategies to Current Mitigation Strategies (describe strategies to Current Mitigation Strategies (describe strategies to Current Mitigation Strategies (describe strategies to
minimize the risk)minimize the risk)minimize the risk)minimize the risk)
Risk and Mit igation Risk and Mit igation Risk and Mit igation Risk and Mit igation WorksheetWorksheetWorksheetWorksheet
� Using the “Risk Assessment GridRisk Assessment GridRisk Assessment GridRisk Assessment Grid” provided, calculate “Impact”, “Likelihood” and “Residual Risk”.
� Categorize each risk according to “Risk AreasRisk AreasRisk AreasRisk Areas” provided and prioritize risks.
6Medium
Management attention and regular rigorous monitoring required
� Write a generic questionnaire with open-ended questions for face-to-face interviews with Program Managers with the purpose of validating existing and eliciting new risks to information resources.
� Conduct an interview with a member of your team to test the questionnaire and make any necessary adjustments.
Examples:
� Are the proper controls in place to protect personal information?
� Are there issues with searching and finding information in response to ATIP requests?
� Are there any risks in completing planned activities as part of the IM & Recordkeeping Plan?
� What are the issues you face with managing information resources?
� Set-up a review schedule
� Ensure mitigation strategies have been included in the IM and Recordkeeping Plan, Security Plan, Corporate Risk Profile, Plans and Priorities
� Ensure awareness provisions are set in the IM and Recordkeeping and the Departmental Security Plans
� Present and share this report with Strategic Planning, Audit and Ethics, Security divisions and businessunits who have a stake in the report
� Note: See Justice’s Monitoring Report
03/06/2015
5
RiskRiskRiskRisk is the potential of losing something of value.