Enterprise Risk Management and Emerging

Risks
Building a Framework
Things to consider when building your framework

– Framework – ISO vr COSO

– Where to Start – Full rollout? Phased approach?

– What Model to implement- Risk factor vrs objectives based?

– ERM Organizational position - CRO, CAE, Risk Manager, Risk

Committee?

2
Brainstorm Risks Events

3
Risk Event Identification Techniques
May include a combination of different types
of techniques combined with supporting
tools:
– Event Inventories
– Internal Analysis & Surveys
– Process Flow Analysis
– Current Events
– Facilitated Workshops and Interviews

4
Analyze, Quantify & Prioritize Risk

5
Methods to Rank Risk

Qualitative
A qualitative analysis would use a scale of "Low, Medium, High" to indicate the
likelihood of a risk event occurring.

Quantitative
A quantitative analysis will determine the probability of each risk event occurring.
For example, Risk #1 has an 80% chance of occurring, Risk #2 has a 27% chance of
occurring, and so on.

Our discussion will focus on qualitative analysis

6
Develop Risk Analysis Matrix
Develop a risk mapping for impact and likelihood to help determine
which risks need risk response. For example:

7
 Types of Risk Impact
In order to align discussions around why risk are significant and what should be done
about them, you should consider dividing your analysis in to types of impact:
Financial Reputation
Incurs unanticipated costs or Creates negative media
Strategic reduces revenues attention
Causes a strategic objective to Operational
fail Legal Affects the quality or efficiency of how
Triggers arbitration work gets done
Environmental, or litigation against Technology
Health and Safety your organization Exposes application,
Jeopardizes staff, volunteers or
data, operating systems, network or
others’ well-being
infrastructure to inappropriate
access/change 8
Example of a Risk Rating

9
Determine Risk Mitigation

10
Determine Risk Mitigation
Reduce / Mitigate risk Eliminate / Avoid risk
Activities with a high Activities with a high
likelihood of occurring, likelihood of loss and high
but impact is low. impact.

Share / Transfer risk Accept risk

If cost-benefit analysis
Activities with low
determines the cost to
likelihood of occurring,
mitigate risk is higher than
but with a high impact.
cost to bear the risk.

11
Risk mitigation - Insurance

• Risk transfer involves moving risk to 3rd party via contractual

arrangement

• Insurance is most common Risk Transfer mechanism

• Outsourcing: risk transfer financial offset – pre incident assessment

planning. loss control property/cyber penetration testing.

12
Risk Examples

13
Example Category - Personnel/Volunteers Risk
• Injury at work
• Cause your organizations client injury
• Harm reputation of your organization
• High turnover
• Triggers a cyber security incident

14
Example Category - Financial Risk
• Inaccurate and/or insufficient• High transactional costs
financial information • Inadequate maintenance of
• No financial planning long-term sources of funding
(budgeting) • Inadequate reserves and
• Lack of financial liquidity cash flow
• Poor pricing policy (e.g., • Dependence on a low
overpriced activities in grant number of revenue sources
applications)
• Inadequate investment policy
• Excessive indebtedness
• Inadequate insurance
• FX losses
coverage
• Financial fraud
• Funds used against the intent
of donor/grantor
15
Example Category - Operational Risk
• Not enough beneficiaries
• Not enough well-trained
Personnel
• Uncertainty about security
of assets
• Competition from other
organizations
• Dependence on suppliers
(their strong bargaining
power)
• Ineffective fundraising
system
• Lack of formalized
procedures
• Inefficient and ineffective
IT system
• Implementing activities in
a dangerous environment
• Natural disaster, fire,
flood, theft
• Deviation from core
mission “in search of”
funding sources
16
Example Category - Management
• Inadequate organization • Resignation of key
structure personnel
• Management lacks • Conflict of interest
adequate experience or • Ineffective
not well organized communication System
• Management dominated • No direction, strategy,
by individual leaders and plans

17
Example Category - Grant Risk
• Delays in disbursement
• Lack of knowledge and skills to utilize the awarded
grant
• Changes in environment preventing utilization of the
awarded grant
• Undervalued contract

18
Emerging Risks: Privacy / GDPR

Are you ready for the General Data Protection Regulation (GDPR)?
GDPR is the most important change in privacy in 20 years taking effect
May 25, 2018.

In the future, aspects of the European GDPR are likely to find their
way into other regulation as well, organizations should start to
prepare their policies and procedures for this.

19
GDPR - Overview

Introduction

GDPR Requirements

Penalties

How it may impact

companies
What companies can do to
comply

20
What is the GDPR?

European Union’s new framework for data protection law

replaces the 1995 Directive
One Stop Shop – EU “main establishment” of controller works
with Lead Supervisory Authority
Application to Companies Worldwide - Simply offering products to and/or
collecting data about persons in the EU is enough for the law to apply- Applies
to Data Controllers and Data Processors

Effective Date – May 25, 2018

21
What is the GDPR? (cont’d)
Principle Based – Purpose limitation, data minimization, accuracy, storage limitation,
integrity and confidentiality, accountability

Lawful Basis Required for Processing Personal Information

Greater Protections and Rights to Individuals in the EU

Privacy Information must be clearly communicated

Data Protection Officers (regular and systematic monitoring on a large scale, or sensitive
data, or public body); Associations representing categories of controllers MAY designate
a DPO for their Controllers
Appropriate security of Personal Data

22
GDPR: Penalties, Complaints, Reputation

Penalties
• 20 million euro or up to 4% of total worldwide annual turnover,
whichever is higher
• Member States can impose additional fines not covered by Art. 83

Complaints/Investigations

Reputational Consequences

23
GDPR applies……

When a
company • offering or providing goods
processes an or services - even if no
EU data payment is required
subject’s
information if • monitoring individuals in
the processing person or online
is related to:

24
GDPR does not apply…

If the data does NOT relate to an

identified or identifiable natural
person or if the data is rendered What about pseudonymous data?
anonymous in such a way that the •
Pseudonymization is the separation of data
data subject is no longer from direct identifiers so that linkage to an
identifiable. (e.g. fully identity is not possible without additional
anonymized data – no identifiers; information that is held separately. GDPR
research report that only includes promotes the use of this.
statistical information with no
identifiers)

25
GDPR: Controllers and Processors

Controller: company that alone or jointly with others determines

the purposes and means of processing of personal data

Joint Controller: When two or more controllers determine the

purposes and means of processing

Processor: processes data on behalf of the controller

26
GDPR: Processing

Any operation which is

performed on personal
data such as collection, Examples: processing
storage, use, disclosure hotel room or
by transmission, conference registrations
dissemination or Selling books or online
otherwise making courses
available, erasure or
destruction.

27
GDPR: What is Personal Data?

"Personal data" is any Examples

information which relates

 Name
to a living individual who  Postal or work or email address
can be identified:  Phone number
• From that information  ID numbers (e.g. passport, license)
• From that information  Location data (usually from devices)
 Bank account details
combined with other
 Expressions of opinion
information held or  Photographs, sound recordings, film
likely to come into the  IP addresses
possession of the  Information stored in cookies or
company similar technologies
 Training records

28
GDPR: What is Sensitive Data?
“Sensitive data requires special
handling, higher protections
Not specifically defined under
the GDPR so Member States
can regulate further
GDPR prohibits their
processing unless exemptions
are in place: explicit consent,
employment obligations, etc.
Examples
 Biometric data
 Health and genetic data
(allergies)
 Employment data
 Criminal convictions
 Racial or ethnic data
 Political opinions
 Religious or philosophical
 Trade-union membership
 Sex life or sexual orientation
29
GDPR: Key Changes
Increased transparency and creating new rights. Right to Access, Right
1 Data Subject Rights
to be Forgotten, Data Portability

Consent for processing must be freely given, specific, informed and

2 Consent
unambiguous. Strict Requirements – see Art. 29 WP Guidance

Data Processors and More contract requirements to be flowed by controllers to processors

3 controllers (data processing agreements)

DPbD is about ensuring that privacy is embedded throughout the

4 Data Protection by
Design (DPbD) organization and being able to demonstrate compliance to regulators

Cross-Border This privacy-compliant cross-border data transfer strategy must

5 Transfers have “adequate protections”
Controllers required to notify competent supervisory authority
Data Breach
and, in certain cases, also to affected data subjects.
6 Notifications
Generally within 72 hours.

30
GDPR: Security Requirements

Flexible requirement that takes into account several factors: (1) state of the
art; (2) implementation costs; (3) nature, scope, context and purposes of
processing; (4) risk of varying likelihood and severity for the rights and
freedoms of natural persons

Breach notification requirement: 72 hours or without undue delay

Specific callouts for: encryption, pseudonymization, backups, procedures for

regularly testing/assessing/evaluating effectiveness of security measures

31
GDPR: What Companies Can Do To Comply?

Organization: Processes:
• Assemble Your Team Determine Systems tied to
• Roles & Responsibilities Data
• Know your data Employee Outreach
• Security Obligations Collaboration
Training
Monitor & Enforce: Document:
Encourage Privacy Policy
Communication Security Policies
Make Good Conduct Visible Breach Response Plan
Manage Employee Error Document Retention Plan

32
GDPR: Data Governance

• Policies – data governance policy with data

classification scheme
Data • Processes – roadmaps for determining governance
steps
Governanc • Data Mapping and Inventory – required to
document all data processing activities in lieu or
e notifications/approvals to DPAs
• Vendor Management – who has data, where is it,
and how managed

33
GDPR: Contracts for Using Processors

Processor must provide contractual guarantees that they use data

security technology and methods that meet GDPR

Gap analysis and legal review of contracts and determine if

amendments need to be made to meet GDPR requirements

Make amendments in order to continue using Processor in

compliance with new requirements

34
 GDPR: Data Transfers

Only one part of GDPR compliance – still many other compliance

requirements

Options – need to have “adequate data privacy protections”

• Standard Contractual Clauses
• Privacy Shield - Not for Trade Associations, Other nonprofits, No Banks (must have FTC
jurisdiction)
• Binding Corporate Rules (GDPR gold standard, but complex)
• Country deemed by EU as having “adequate protections” (Argentina, Canada, Israel, New
Zealand, Switzerland, Uruguay - NOT US)

35
 GDPR: Standard Contractual Clauses

Pre-approved contractual language to be incorporated into

What are agreements, unchanged.
Standard
Contractual
Clauses? Two sets of standard contractual clauses for transfers from data
controllers to data controllers established outside the EU/EEA
and one set for the transfer from controllers to
processors established outside the EU/EEA.

36
 GDPR: Data Transfer Exceptions

Consent – must be informed, explicit, more complex under GDPR

Contract – must be necessary for performance or conclusion of a contract or

implementation of pre-contractual measures taken at the data subject's request

Public interest

Legal claims - necessary for the establishment, exercise, or defense of legal claims

Vital interests – necessary to protect the vital interests of data subject or of other persons
(if data subject is physically or legally incapable of giving consent)

37
Emerging Risks: Culture and Conduct

“It takes 20 years to build a reputation, and

five minutes to ruin it. If you think about that,
you’ll do things differently.”
-Warren Buffett

38
Culture and Conduct Risk: Recent Examples
For-Profit Wells Fargo – Banking Scandal
World
Volkswagen – Emissions Scandal

Individuals Harvey Weinstein

Matt Lauer
Others
Non-Profit Hotchkiss – Tick-Bite = $41 million
World
NRA
OXFAM

39
Culture & Conduct Risk: Tone from the Top
Ensure cultural values are reflected in the organization’s:

Risk
Strategy
appetite

Compliance
ACTIONS
frameworks

40
Culture & Conduct Risk: Independent Assurance
Organizations should demonstrate due diligence by conducting
independent risk reviews / health checks over the following areas:

Policies & Investigation

Strategy Training Review of KPIs
practices procedures

41
Emerging Risks: Third-Party

Fees and fines related to third-party risk may

be significant, the long-term brand and
financial impact of reputation loss can be much
worse. A third party engagement can be
ended, reputation loses are often far more
severe than any fine.

42
Why Manage and Assess Third-Party Risks?

Third-Party Risk Examples

Cyber Security Intellectual Property Manufacturing Quality
Theft Control
Data Protection Safety / Occupational Money Laundering
Hazard
Bribery and Corruption Political Exposure Social Responsibility
Fraud Wage and Hour Conflict Minerals
Violations

43
TPRM – Third Party Risk Management

TPRM is the process of analyzing and mitigating risks to your

company by parties OTHER than your own company.

• TPRM can reduce likelihood of:

 data breach costs
 operational failures
 vendor bankruptcy
 reputation damage

44
TPRM Third-Party Stratification Example

Tier I

• Critical vendors (10%) – PII + critical systems

Tier 2

• Major vendors (40%) – PII OR critical systems

Tier 3

• Vendors (50%) – commodities/low risk

purchases

45
TPRM Third Party Due Diligence Example
Due Diligence is the process by which the vendor is reviewed
to determine its suitability for a given task.
Risk Assessment Financial
(Documentation, projections &
Categories of Risk, review

Insurance Review Background check

Vendor Audits
Legal Review and/or SOC
reports

46
ERM - Critical Success Factors
Obtain senior
management approval
and involvement

Designate committees or
individuals to champion

Develop Procedures

Involve business
and technical
experts

Formalize reporting to
leadership

47
Develop ERM Procedures
Who is responsible for initiating and conducting risk assessments

Who will participate

What steps will be followed

How disagreements will be handled and resolved

What approvals will be needed

How assessments will be documented

How documentation will be maintained

48
Formalize Risk Reporting
1 Updated Risk 2 Risk assessment criteria
Universe Use risk assessment criteria to
• Enterprise Universe prioritize risks – identify the most
• Survey Results significant risks to the organization

4 Mitigation Plans
Identify risk mitigation plans for top
10 most significant risks

3 Prioritized risk heat map

Any Questions?

Derek Symer, Melissa Musser Donna McPartland

AHT Aronson Arent Fox
703.669.1121 240.364.2598 202.350.3765

[email protected] [email protected] [email protected]

50