This document discusses optimizing risk management to create business value. It begins by introducing the speaker, Garry Barnes, and his experience in risk management. It then outlines common approaches to risk management, noting that low-performing organizations see risk as compliance-driven while top performers link risk closely to strategy. The document advocates developing risk capabilities, using risk scenarios and defining risk appetite. It provides guidance on designing, implementing and governing an organization's risk appetite using domains, statements and metrics. The overall message is that effective risk management requires optimizing risk-taking to balance costs and benefits in pursuit of business objectives.

1. Garry Barnes
Vice President
ISACA
VALUE CREATION THROUGH
OPTIMISING RISK
October 2014

2. BACKGROUND
ISACA:
International Vice President
Strategic Advisory Council
Credentialing and Career
Management Board
CISM Certification
Committees
Sydney Chapter 2003-2012
(President 2008-10)
Security, Governance, Risk
and Audit:
Managing Consultant, BAE
Systems
Risk Manager & Information
Security Consultant,
Commonwealth Bank of
Australia
Information Security Manager
& IT Audit Manager, NSW
Departments of Education &
Commerce
CISA CISM CGEIT
CRISC MAICD

3. COMMON APPROACHES
Risk: the likelihood that a loss will occur.
Risk = Threats x assets x vulnerabilities
3 |
22/10/2014

4. RISK MANAGEMENT AT LOW PERFORMING
ORGANISATIONS
✗ Is used primarily for
compliance:
✗ Supporting compliance
reporting
✗ Identifying and assessing
controls to minimise breaches
✗ Is constrained by internal
organisational boundaries
✗ Is reactive:
✗ An additional and separate
step in decision making
✗ Identified risks viewed as poor
performance
✗ Static view of risk:
✗ Ignoring changing business
requirements
✗ Once a year risk
assessment
✗ Ineffective risk monitoring:
✗ Inaccurate measurement of
actual risk levels
✗ No enterprise-wide view
provided by risk aggregation
✗ Wrong accountability model:
✗ Risk Managers (or Owners)
vs Risk Facilitators (or
Function)

5. RISK MANAGEMENT AT TOP PERFORMING
ORGANISATIONS
ü Is closely linked with strategy:
ü Risk with new products and
services, Mergers and
Acquisitions, etc.
ü Is a proactive and consistent:
ü Risk information is available
to support strategic, change
and operational decisions
ü Integrates Enterprise and IT
risk:
ü Common language
ü Aggregation of risks
ü Links with business
outcomes:
ü Creates awareness and
understanding of risk policy
ü Risk Appetite Statement
provides a reference point
leading to better business
decisions

6. COBIT 5 – “RISK OPTIMISATION”
The Governance Objective:
“Value creation means realising benefits at an optimal
resource cost while optimising risk”

7. NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
7 |
22/10/2014

8. COBIT 5 FOR RISK – “DUALITY OF RISK”
8 |
22/10/2014
Do things well and
preserve or gain value
Do things badly and lose
or fail to gain value

9. NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
9 |
22/10/2014

10. ADDRESSING TWO PERSPECTIVES ON RISK
10 |
22/10/2014

11. RISK FUNCTION CAPABILITIES
11 |
22/10/2014
Risk accountability
Risk governance
e.g. 3LoD
Risk culture &
behaviours
Risk methodology
Risk principles, policy
Risk systems Risk training
Risk criteria
Risk intelligence

12. RISK MANAGEMENT CAPABILITIES
12 |
22/10/2014
Risk planning
Risk monitoring
Risk methodology

13. CORE AND SUPPORTING RISK PROCESSES
Core risk processes
Key supporting processes

14. CORE RISK PROCESSES
Governance process: EDM03 – Ensure risk optimisation:
This process covers the understanding, articulation and
communication of the enterprise risk appetite and tolerance and
ensures identification and management of risk to the enterprise
value that is related to IT use and its impact.
• Define and communicate risk thresholds
• Make sure key IT-related risk is known
• Ensure risk does not exceed appetite

15. CORE RISK PROCESSES
Management process: APO12 – Manage risk:
This process covers the continuous identification, assessment and
reduction of IT-related risk within levels of tolerance set by
enterprise executive management.
• Collect appropriate data and analyse risk
• Maintain risk profile and articulate risk
• Define action plan and respond

16. NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
16 |
22/10/2014

17. RISK SCENARIOS
Common risk identification challenges:
• Volume of identifiable risks
• Generic risk descriptions – misalignment with business
• Process and control failure risks – incidents!
• Over specification of risk detail
• Repetition of risk across BU’s
17 |
22/10/2014

18. RISK SCENARIOS
18 |
22/10/2014

19. NEXT STEPS FOR RISK MANAGEMENT
• Risk and opportunity
• Risk capability
• Risk scenarios
• Risk appetite
19 |
22/10/2014

20. WHAT IS RISK APPETITE?
ISO 31000:
Amount and type of risk that an organisation is
willing to pursue or retain
COBIT 5 for Risk
The broad-based amount of risk in different
aspects that an enterprise is willing to accept in
pursuit of its mission (or vision).
“Acceptable Level of Risk”

21. Design
DESIGNING RISK APPETITE
Risk Appetite
Construct
Implement
Govern
Risk Appetite and Risk Tolerance
Consultation paper
Institute of Risk Management
May 2011 – Figure 1
Used with permission

22. Design
DESIGNING RISK APPETITE
Risk Appetite
Construct
Implement
Govern
Business risk context
Risk capacity and capability
Risk philosophy
Risk outcomes

23. POOR POLICIES INHIBIT OPTIMISING RISK
Policy often preceded Risk Appetite Statements:
• Legacy effect of historic policy positions
• Enterprise-wide policies lack granularity for local risk/reward
decisions
• Tightening of policies after incidents
Codes of Conduct:
• Great place to start when developing a Risk Appetite Statement
• Language the Board and Executives understand
• Often covers some key areas of risk – expectations, compliance

24. CONSTRUCTING RISK APPETITE
Design
Risk Appetite
Construct
Implement
Govern
Risk domains
Risk appetite statements
Risk metrics (KRIs)
Risk tolerances

25. DETAILED RISK APPETITE STATEMENTS
Very
Low
• Avoid exposures
• Ensure awareness and operation of controls
• Assurance of KPIs and KRIs
Low
• Minimise risk exposures
• Provide awareness and operation of controls
• Monitor and report KPIs and KRIs
Moderate
• Allow local decisions for risk/reward, cost/benefit
• Use timely risk information to drive risk response
High
• Seek strategic opportunities
• Manage risk and return
• Communicate expectations and outcomes
e.g. compliance risk
e.g. operational risk
e.g. program risk
e.g. investment risk

26. RISK TOLERANCE
Risk tolerance levels are tolerable deviations from the
level set by the risk appetite definitions
Risk Appetite and Risk Tolerance
Consultation Paper
Institute of Risk Management
2011
Used with permission

27. IMPLEMENTING RISK APPETITE
Design
Risk Appetite
Construct
Implement
Govern
Communicate & train
Risk calendar
Risk tools
Measure against KRIs

28. IMPLEMENTING RISK APPETITE
Communicate
Inform key
stakeholders:
• Directors, Executives,
Business and Operations
Managers
Clarify
accountability
between risk
function and risk
management roles
Provide tools and guidance
Enable active use of
the risk appetite
statements in daily
business operations
Deploy Risk
Function as support
for risk processes
Monitor
Monitor operational
metrics and Key
Risk Indicators
Perform meaningful
risk aggregation
Provide and
relevant timely
reporting
Review
Conduct periodic
reviews (stress
tests)
Use risk
assessments,
operational metrics
and incident data to
refine risk appetite
and processes

29. GOVERNING RISK APPETITE
Design
Risk Appetite
Construct
Implement
Assess and act on
metrics
Monitor risk profile
Monitor business change
Govern

30. RE-DESIGNING RISK APPETITE
Design
Risk Appetite
Construct
Implement
Revise as required
Communicate
Refine policies, etc.
Govern

31. SUMMARY: DESIGNING RISK APPETITE
Design
Risk Appetite
Construct
Implement
Govern
Business risk context
Risk capacity and capability
Risk philosophy
Risk outcomes
Revise as required
Communicate
Refine policies, etc.
Assess and act on
metrics
Monitor risk profile
Monitor business change
Risk domains
Risk appetite statements
Risk metrics (KRIs)
Risk tolerances
Communicate & train
Risk calendar
Risk tools
Measure against KRIs

32. EXPLORING THE CHALLENGES – OBTAINING VALUE
32 |
22/10/2014
Risk and
opportunity
Risk
scenarios
Risk
appetite
Risk
capability
“The best risk management is about managing risk to business
performance against specific outcomes or objectives.”
Excerpt From: Brian Barnier “The Operational Risk Handbook for Financial
Companies: A guide to the new world of performance-oriented operational risk.”

33. CHARACTERISTICS FOR RISK OPTIMISATION
Context – Scenarios, outcomes, framework, appetite, KRIs (i.e. risk function and risk
management enablers) must be relevant to the risk context of the business
Consistency – Develop risk appetite and scenarios and then identify granular but
consistent appetites for risks across the business in business language
Completeness – Address all key risk domains across the business chain and
aggregate sensibly
Culture – Align capability and appetite with risk maturity and desired risk culture
Cooperation – Encourage proactive behaviours and guidance on management of risk
and risk appetite
Current – Monitor for change using risk information and refine responses as required

34. COBIT 5 – “RISK OPTIMISATION”
The Governance Objective:
“Value creation means realising benefits at an optimal
resource cost while optimising risk”

35. QUESTIONS?
35 | 22/10/2014