Enterprise Risk Management for Community Banks Brian T. O’Hara CISA, CISM, CRISC, CISSP CISO The Mako Group, LLC [email protected] http://www.linkedin.com/in/brianohara / Twitter: @brian_t_ohara
Jan 25, 2017
Enterprise Risk Management forCommunity Banks
Brian T. O’Hara CISA, CISM, CRISC, CISSPCISO The Mako Group, LLC
[email protected]://www.linkedin.com/in/brianohara/
Twitter: @brian_t_ohara
The Mako Group, LLC
• IT & Info Sec Auditing• IT Risk Assessments• Security Training• Vulnerability
Assessments• Social Engineering• PCI DSS 3
• FISMA Audits• Penetration Testing• Gap Assessments• SOC 1 and SOC 2• SOX 404• HIPAA• Virtual CISO
The Mako Group, LLC• 1570 Woodward Ave.
Detroit, MI 48266Phone: 313.355.0538 Email: [email protected]
• 110 West Berry Street - Suite 2400 Fort Wayne, IN 46802 Phone: 260.267.5999 Email: [email protected]
• 8555 River Road - Suite 315 Indianapolis, IN 46240 Phone: 317.941.MAKO (6256)Email: [email protected]
BIO
• CISO of The Mako Group, LLC• ISSA Fellow• Program Chair, CINT Ivy Tech NE• Adjunct Faculty Indiana Tech• CISSP - Certified Info Systems Security Prof.• CISA - Certified Information Systems Auditor • CISM - Certified Information Security Manager• CRISC - Certified Risk Info System Controls
BIO
• CAE of The Mako Group, LLC• CPA• MSA – Masters of Accountancy• ISACA Detroit Chapter• CISA - Certified Information Systems Auditor • Previously ran the Sarbanes-Oxley and FDICIA
programs for Ally Bank
What Is ERM?
• Enterprise Risk Management (“ERM”) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. (http://www.rims.org/erm/pages/WhatisERM.aspx)
ERM Elements?
• Tied to Bank’s Strategic Plan• Chief Risk Officer (Top Down Approach)• Correlations (non-silo)• Target Objectives• Measurable• Focus on Outcomes
ERM Principles
• Not just about Risk Mitigation– It is a management system
• Management Model that leads to action• Unified Approach• Answers Key Questions
Quiz 1
• Who Invented the World Wide Web?
• Tim Berners-Lee
ERM Key Questions
• Do we understand risk across the enterprise?• What is the reward?• Is the risk acceptable?• Is the reward great enough?• Does it link strategies?• Is it supported from the top down?• Are discussions made with input to business as
opposed to protecting lines of business?
Who Is ERM Designed For?
• Community Banks?• Size?• Complexity?• Affordability?• Value Add?
Examples
• Larger Banks• Publicly Traded Companies (SOX)• Service Providers (CORE)
ERM Value?
• Provides a more robust picture of risk• Corrects Silo Risk Mentality• Provides Greater Transparency• Delivers Effective Resource Allocation• Shifts Focus from Reactive to Proactive• Examiner Expectations
Sound ERM
• IT Risks Rolled Up• NO Risk Silos• Integrated with Business Strategy• Provides More Accurate Picture of Tolerance• More Effective Resource Allocation• Proactive v Reactive• Helps Identify Key Controls
Poor ERM
• Risk Silos• Poor View of Overall Risks• Reactive rather than Proactive• Examples– Target– TJ Max– Heartland Payment Processors
Quiz 2
• What was the first commercial web browser?
ERM Frameworks?
• COSO• RIMS• ISO• COBIT
• FFIEC Guidance• Johnson and Johnson• NIST
Risk Management Frameworks?
• CyberSecurity (Exec Order 13636)• NIST• COBIT• COSO• ISO• FFIEC Guidance
Communicating ERM Across Enterprise
• Quantitative v & Qualitative• $ to Risk to Exposure• Opportunities
How To Implement ERM
• Pick a framework• Get top management buy in• Establish Enterprise stakeholders
How to Discuss with Sr. Mgmt
• Cost• Risk• Opportunity
How to Explain
• Quantitative v Qualitative Information
Quiz 3
• Who sent the first official “email” over the internet?
• Mark Tomlinson
When is ERM not a good fit?
• Lack of Sr. Management Buy in• Size and complexity of operations• Too expensive, cost v benefit
ERM Problems
• Lack of single unifying framework• Remains reactive• Discounts insiders (relies on “experts”)• Does not calculate mitigation costs• Fails to rank risk• Lack of academic studies showing
effectiveness
Cybersecurity Framework
• NIST Creation• Fits smaller community banks• Easily tailored and scalable• Encompasses ERM key components• Provides control mappings to standards• Above and beyond examiner expectations• Affordable implementations
The Mako Group’s Approach (Hybrid)
• Guided (organization is the expert)• Holistic• Eclectic• Customized based on organization needs• Based on value added• Built to optimize resource allocation
Conclusions
• ERM is not always a good fit• Can be costly• Can add unforeseen visibility• Can add predictive value• Can still provide guiding principles
Summary
• ERM value still unclear• ERM is a holistic approach• More Complex• More about choosing pieces that work for you• Hybrid approaches using models like
Cybersecurity Framework provides best of both worlds
THANKSBrian T. O’Hara CISA, CISM, CRISC, CISSP
CISO The Mako Group, [email protected]
http://www.linkedin.com/in/brianohara/Twitter: @brian_t_ohara