SlideShare ist ein Scribd-Unternehmen logo

Project risk assessment presentation feb 2013

C
CentralOhioAGA2012
1 von 79
Downloaden Sie, um offline zu lesen
Project Risk Assessment © Thomas E. Festing – 2013 1
A Little Background – Tom Festing State of Ohio: 11 Years In The US Army - Captain: Office of Budget & Management Communications & Automation Internal Audit / IT General Controls Banking & Finance Risk Assessments /Consulting support Have driven an Abrams M1 Tank (mighty fine) Things, That If I Told You – 10 Years Internal Audit/Risk Management : JP Morgan Chase & Prudential Home Mortgage Someone “May Come And Take Us Both Away”! Risk assessments, Privacy, ITGC reviews Education/Certifications: Infrastructure / Data Center Technology CISA/CRISC BSBA In Accounting (Back When Dirt Was New) 1 Year CIO: Been Working On A Masters Since 1981 Non-traditional Credit Card Industry “Owned” IT functions 35 Years Married: Wife & Two Children 10 Years Public Accounting: Moved 17 times in 35 years 7 years with Arthur Andersen Two Dogs IT audit and consulting support 2 year old Grandson IT Risk Assessment & Governance © Thomas E. Festing – 2013 2
This is not a “technology” presentation …. It is from a “business risk” perspective! Today’s objective … but to make you is not to make aware of a risk-based you a “guru” … approach! © Thomas E. Festing – 2013 3
Project Risk Assessment • Why are we here? • Definition – Risk Assessment • The Business Problem – Problem – Solution – Objective/Approach • The Process – Frame It – Collect It – Analyze It – Tell All • Life Cycle • Questions/Comments © Thomas E. Festing – 2013 4
Why Are We Here Today? Risk professionals are confronted with developing processes that integrate with holistic risk management strategy complementing Enterprise Risk management, IT risk, privacy, and NIST 800-30 Risk Assessments. This session provides an example of a repeatable survey-based process that aids in assessing the business risks associated with managing large/complex projects. These risks transcend traditional functionality and code testing - expanding to potential business weaknesses within the areas of project governance, management, business requirements, design /architecture, implementation, and security. Review an approach that provides quantifiable results supporting stratification of potential issues by organization demographics - including business functions, position, experience, and participation at both a business and IT levels. Review deliverable examples that provide benchmark data that can be used by senior management and project sponsors to support accountability and follow-on assessments to evaluate changes in project communications and execution. © Thomas E. Festing – 2013 5
The Business Solution What do you really want! Proactively identify areas where large project management may be at risk. Stratify possible risk areas based on demographics – who is “in sync” and who is “out”. Identify areas that can be adjusted to help ensure success. Understand how to make it easy! What will you get! Explanation/walkthrough of process. Copy of sample survey questions. Description of a “tool”. CPE credits … and © Thomas E. Festing – 2013 ME! 6
Extract - Holistic Risk Assessment Strategy Enterprise Risk Management IT Risk Assessment NIST 800-30 G ov na er nce Se cur ity Ma na g me nt e Monitoring D a ta Ma na g me nt e Func ti na lity o Re cove rability/A v ila bility a R edu ndan t P i ci es and ol P orman ce erf Tran sact i n o D t A vai l abi l i y/ aa t B / R & R cove ry CD e P erson nel V en dor M anage m nt e C t ol C abi l t i s on r ap i e E ase of U se E xposure Pop ul at i n o E xt r al Faci ng e n User S curi t A dm. e y S uri y Moni t ori ng ec t D t P r va cy a a i C han ge A t vi t c i y A / el easeL evel ge R In vent ory P r ced ures o Moni t ori g n Mon i ori ng t I m ort ance p Archi t ect re u S eed p Suf f ci ent i C f den t on i No/L ow Ex posure S t on g r Exp er t Techn i al Supp ort c NoE xt rna l Faci ng e C t al i zed en r I n Pl ace Est abl i h ed s T racks D et ai A i vi y l ct t Publ i c D at a C urrent Lo w Lo w I m act p Lo w C ur r n t e I mport ant E xi t s s Li i ed C onf denc e mt i Moder at eE xposu r e M r i nal ag Some E per ence x i D epar t en t l m a I t er nal E xposu r n e M xed E nvi onment i r A d- Hoc A - oc dH P er f l U ser s ow u I t er nal n I mpor t n t a Medi m u Medi um Med i m u P ti l l ar a y C t mer C i i cal us o rt D ef i i ent - N ne c o No C nf i ence o d Hi h E xposu r g e Weak G eral U en ser "Everyo ne" Ex t rna l Exp osure e Decen t al i zed r D es N ot E xi t o s D oes N t Exi st o D es N ot Ex i t o s Pri vat e Hi ghl y I po r an t m t Hi h g Hi gh Lo w Hi gh Mi si on C t cal s ri i Optimized Po l ci esan d i Pe r orman ce f T r nsact i n a o D at aA vai l abi l t y/ i R edu ndan t BC / R & R ecove r D y Personn el V en dor M anage m nt e C t ol C abi l t i s on r ap i e E ase of U se E xposure Pop ul at i n o E xt r al Faci ng e n U r Secu ri y A m. se t d Se curi y Moni t ori g t n Dat aP r vacy i C han ge A i vi y ct t A / el easeL evel ge R In vent ory Procedu res Mon i ori ng t M oni t r ng oi Import ance Archi t ect re u Sp eed 3 2 2 2 9 3 2 2 2 2 2 9 3 5 2 3 2 6 5 9 5 4 5 9 9 9 9 5 4 9 3 5 5 5 9 10 2 5 2 2 9 2 2 5 5 2 2 9 5 2 2 3 9 10 5 2 2 3 9 9 2 2 5 2 2 9 3 5 2 3 2 10 Risk Environment 5 10 2 9 9 9 9 2 6 3 9 9 5 8 10 3 5 10 5 9 6 5 5 5 2 5 5 2 2 9 3 8 3 3 2 10 5 9 9 2 6 9 9 9 2 8 2 9 3 5 2 3 2 6 5 6 2 2 7 6 2 6 5 3 2 9 3 5 2 3 2 10 Preparing For Ris k As s es s ment (U nders tand) 6 10 10 3 9 9 2 6 9 6 9 9 3 3 10 3 5 10 3 2 5 5 7 6 3 2 5 2 8 9 3 5 2 3 2 10 5 10 10 1 5 4 5 2 2 2 10 10 7 5 2 3 5 10 Execute Audit 5 5 2 2 9 9 5 5 2 2 5 9 3 5 2 3 2 10 5 9 2 2 7 5 5 5 2 2 5 9 3 5 5 3 2 10 Identify Threat 3 5 2 5 9 9 9 5 5 9 9 9 5 2 5 3 2 10 5 5 2 2 3 2 9 5 2 2 2 9 3 5 2 3 2 10 Plan/Scope 5 9 5 2 2 10 10 5 7 5 2 9 3 5 2 3 2 10 Communications & Information Sharing (Deliverables ) Risk Assessment 5 9 5 2 2 2 1 5 2 5 2 9 3 5 2 3 2 10 Identify Vulnerabilities / Predis pos ing Maintaining Ris k As s es s ment (Life Cycle) 5 5 5 3 5 10 10 5 5 5 Conditions 2 9 3 5 2 3 2 6 6 10 10 6 2 9 9 9 9 9 6 9 3 5 3 3 5 10 5 5 9 5 9 2 2 5 6 2 2 2 3 2 2 5 2 5 5 5 9 5 9 2 2 5 2 2 2 2 3 2 2 5 2 5 5 10 10 5 5 5 9 9 8 3 10 10 9 5 2 3 5 10 Determine Likelihood of Occurrence IT Ris k As s es s ment Hi Determine Impact Control Effectiveness gh 1 1 1 3 3 3 1 1 Determine Ris k 3 3 1 1 3 3 Regulatory Availability Efficiency 1 3 1 1 3 3 Likelihood 1 3 1 3 1 3 1 3 1 3 1 3 1 3 L o H w i Impact g h IT Governance Focus Enterprise Risk Mgmt Focus • Assess IT technology risk drives Strategy • Regulatory requirement Governance • Creating A Multi-Year Audit Plan • Identifying security threats/ likelihood/ impact • Technology device/process focus • Business focus Focus • Regulatory requirements Focus GOVERNANCE APPLICATION • Data Privacy • Large/complex projects STORAGE/ • Provides quantifiable TRANSIT REMOVABLE analysis stratifying key MEDIA Common Linkage governance areas REPORTS Linkage to ERM Project Risk Assessments Privacy Managing Change © Thomas E. Festing – 2013 7
Risk Assessment A Risk Assessment is a logical first step in a methodical risk management process ... that provides a framework for creating a quantifiable or qualitative value of the risk ... linking to threat sources and vulnerabilities … supporting determining the inherent likelihood and impact …. that could hinder an organization from attaining its business goals and objectives in an efficient, effective, and controlled manner – be it process, technology, people, or vendor generated. © Thomas E. Festing – 2013 8
Project Risk Assessment Process 9 Thomas E. Festing – 2013
Project Risk Assessment Process Ready? 10 Thomas E. Festing – 2013
Project Risk Assessment – New Agenda Nope… I used to think that 90% was all about the journey – and thought everyone was excited about the trek as I was. The end was just the conclusion of the “fun stuff”. Well – its not. You need to see what’s at the end so you can see if the 90% is worth the 10%. It also allows you to see why the path is not “easy”. So here’s the modified agenda. © Thomas E. Festing – 2013 11
Project Risk Assessment – New Agenda • A “Peek” To End Deliverables What do I get! • Definition – Risk Assessment • The Business Problem Why do I even want – Problem to take this trip! – Solution – Objective/Approach What will I take the trip in … is it sound! • The Process 10% - End Deliverable – Tell All – Frame It – Collect It 90% - Fun Stuff – Analyze It – Tell All 10% - End Deliverable .. recap • Life Cycle Sustain … don’t make the same trip twice • Questions/Comments How many CPE did I get for this? © Thomas E. Festing – 2013 12
THE PEEK © Thomas E. Festing – 2013 13
The Peek Wouldn’t it make more sense to be able to get a peek at what we will “get … like: Define critical project risk and demographic areas! Strategy for collecting and analyzing data! Understanding what/how to communicate results! How you can track improvements. Understand how this links to ERM and other risk assessments! May be handy – especially if we run out of time …… © Thomas E. Festing – 2013 14
The Business Problem Large projects tend to fail. Need to find a way to identify potential risk areas. Need to find a way to track improvements. © Thomas E. Festing – 2013 15
Critical Risk Areas Management Governance Need a common language. Program Management Use a limited number of broad-based “business relevant” control areas. Business Requirements They do need to link to standard Design & Development control areas so they are “defendable” and tie to audit & ERM. Implementation/Operations Build standard survey questions for each “Control Area”. Information Security End results - 6 Categories / 22 Sub-areas / 47 Questions. © Thomas E. Festing – 2013 16
Collect / Analyze Data By Demographics Stratifying & consolidating data by demographics provides a way to gauge responses and provide different perspectives. Gaining input across different “levels” and organizational groups helps identify who is or is not ……… © Thomas E. Festing – 2013 17
Collect / Analyze Data By Demographics Functional Need to: Project Involvement Area/Responsibility Identify demographics Executive Leadership Collect input with anonymity Core Team Member Line Of Business Keeps it relevant & limited Subject Matter Expert Information Technology Example demographics …. Tester Vendor/Consultant None Position Years Experience Executive Management 1-3 Years Senior Managers/ Use On-Line Survey 3-6 Years Directors Supervisors 6-9 Years Staff > 9 Years © Thomas E. Festing – 2013 18
Collect & Analyze Data Success is not driven by slogans, mandates, and t-shirts – but by the support of the diversified team © Thomas E. Festing – 2013 19
Collect & Analyze Data Data Collection Import To Core By Critical Risk Areas Risk Engine (6 Categories / 22 Sub-areas) Use On-Line Survey Management Governance (Survey Monkey) Program Management Business Requirements Design & Development CORE RISK ENGINE Implementation/Operations Information Security By Demographics & 47 specific Question “Crunch” Data © Thomas E. Festing – 2013 20
Communicate To Management A way to communicate Overall Top / so management can Bottom 5 areas “size” and “track”. Baseline 1 i 1 H 9 h g 1 9 6 1 2 5 0 4 1 3 3 8 Future Point In Time 2 1 7 4 4 1 2 6 1 1 Impact Project Success 1 2 5 2 6 2 1 5 1 H h g 7 i 7 9 1 Detail By Question 1 4 3 0 8 5 8 1 7 9 2 1 2 0 2 Area/Demographics 1 Impact Project Success 1 6 1 1 0 8 3 5 2 1 w o 1 L 2 1 4 9 8 7 6 5 4 3 2 1 1 1 Extremely Confidence Level Not Confident 6 0 Confident 1 2 7 Risk Ares 1 3 2 0 1 1 8 9 Heat Map w o L Extremely Confidence Level Not Confident Confident © Thomas E. Festing – 2013 21
Communicate To Management GOAL: CONCLUSION - RECOMMENDATION - PRIORITIZATION Significant areas indicated a protracted lack of confidence. Area average – except Information Security – were lower at this milestone than the previous two assessments. © Thomas E. Festing – 2013 22
Coordinated ERM and Risk Assessments LIFE CYCLE 6 OTHER RISK BUSINESS AREAS 8 ASSESSMENTS Legal/Regulatory Various Risk Reports Project Risk Risk Assessment Various Risk Reports Assessment Various Risk Reports 1 DR/BC Business Impact Assessment CORE RISK ENGINE Enterprise Risk Management (ERM) Business Process Assessment 2 “What Privacy Risk If” Governance/Process Assessment 5 Preventative/Logical 6 PRIORITIZATION Detective/Monitoring Threat Assessment RESIDUAL/INHERENT RISK Change Management NIST 800-30 4 TECHNOLOGY CHANGE RISK TOLERANCE Availability/Data Management COMMON RISK TECHNOLOGY AREAS Business Process DRIVERS Risk Driver IT Risk Assessment Technology Device 3 Audit Plan IT Business Plan © Thomas E. Festing – 2013 23
Now the detail fun journey for the “why” and “how”! PEEK END © Thomas E. Festing – 2013 24
The Business Problem © Thomas E. Festing – 2013 25
Risk Assessments For years we have convinced ourselves that all we needed to do was carry forward our audit approach and strategy from year to year – or just focus on NIST. We acknowledged that there was always “change”, and some level of “business risk” that management would accept. After all, what you didn’t know couldn’t hurt you! …or is it “If it doesn’t kill you – it makes you stronger”? No one disputes that project risk increases based on the project size and duration. Today – we have traditionally built structured risk-based approaches based on a combination of financial risk management, technology risk assessment framework, and risk-based audit scoping that works in concert with the overall enterprise risk management model to guide audit’s assurance of “reasonable” levels of residual risk. © Thomas E. Festing – 2013 26
The Business Problem Organizations are confronted with having to develop efficient, effective, and repeatable assessment tools to aid in assessing the business risks with managing large enterprise projects. Pressure is placed on more than just functionality and code testing, but now expands to where to focus limited resources to target potential weaknesses within the areas of project: Governance, Project Management, Business Requirements, Design/Architecture, Implementation, and Security. Pressures are being applied by Audit Committees and Boards to understand cost / benefits and what proactive steps are being taken to reduce industry “failure” rates! © Thomas E. Festing – 2013 27
The Business Problem 2012 Gartner – Survey “.. While larger projects are more likely to fail than smaller projects, around half of all project failures, irrespective of project size, were put down to functionality issues and substantial delays.” “.. Failure rate of IT projects with budgets exceeding $1 million was found to be almost 50% higher than for projects … below $350,000.” “.. Smaller projects experienced a one-third lower failure rate than large projects . keep small … not exceeding six months in duration …” Specifically identified: Cost: Not identifying budget variances/ overruns early. Changes in scope – with related impact to cost vs. budget. Functionality: Not capturing business functionality expectations. Sounds like project Quality. management & Infrequent project status meetings. Governance to me! Misalignment with business strategy. Late! © Thomas E. Festing – 2013 28
The Real Business Solution This session provides an example approach of a repeatable survey-based process that: Provides quantifiable analysis techniques gained by evaluating input across demographic cross sections by: • Functions, • Position, • Experience, and • Participation at both a business and IT levels. Provides quantifiable results support stratification of potential issues both by project area and organization layer. Delivers benchmark data to support: • Audit focus during the project. • Follow-on assessments to evaluate if changes in project communications and execution are achieving the desired results. © Thomas E. Festing – 2013 29
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013
Project risk assessment presentation feb 2013

Empfohlen

Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...xKinAnx
 
Smart buildings: ROI Unleashed
Smart buildings: ROI UnleashedSmart buildings: ROI Unleashed
Smart buildings: ROI UnleashedOptimum Energy
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Unit 11 - Final Project - Threat & Risk Assessment - Babeli
Unit 11 - Final Project - Threat & Risk Assessment - BabeliUnit 11 - Final Project - Threat & Risk Assessment - Babeli
Unit 11 - Final Project - Threat & Risk Assessment - BabeliLianna Babeli
 
Practical project risk assessment, Simon White
Practical project risk assessment, Simon WhitePractical project risk assessment, Simon White
Practical project risk assessment, Simon WhiteAssociation for Project Management
 
Risk Assessment and Reduction
Risk Assessment and ReductionRisk Assessment and Reduction
Risk Assessment and ReductionProf. David E. Alexander (UCL)
 
Risk assessment principles and guidelines
Risk assessment principles and guidelinesRisk assessment principles and guidelines
Risk assessment principles and guidelinesHaris Tahir
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 

Empfohlen

Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...xKinAnx
 
Smart buildings: ROI Unleashed
Smart buildings: ROI UnleashedSmart buildings: ROI Unleashed
Smart buildings: ROI UnleashedOptimum Energy
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Unit 11 - Final Project - Threat & Risk Assessment - Babeli
Unit 11 - Final Project - Threat & Risk Assessment - BabeliUnit 11 - Final Project - Threat & Risk Assessment - Babeli
Unit 11 - Final Project - Threat & Risk Assessment - BabeliLianna Babeli
 
Practical project risk assessment, Simon White
Practical project risk assessment, Simon WhitePractical project risk assessment, Simon White
Practical project risk assessment, Simon WhiteAssociation for Project Management
 
Risk Assessment and Reduction
Risk Assessment and ReductionRisk Assessment and Reduction
Risk Assessment and ReductionProf. David E. Alexander (UCL)
 
Risk assessment principles and guidelines
Risk assessment principles and guidelinesRisk assessment principles and guidelines
Risk assessment principles and guidelinesHaris Tahir
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk AssessmentSteve Bishop
 
Risk Presentation
Risk PresentationRisk Presentation
Risk PresentationKathy_67
 
Risk Assessment (Project: Cosmic Constructor)
Risk Assessment (Project: Cosmic Constructor)Risk Assessment (Project: Cosmic Constructor)
Risk Assessment (Project: Cosmic Constructor)MagicalPotato9000
 
Dubai Chamber Annual Report 2014
Dubai Chamber Annual Report 2014Dubai Chamber Annual Report 2014
Dubai Chamber Annual Report 2014DubaiChamber
 
Expatriates in the united arab emirates
Expatriates in the united arab emiratesExpatriates in the united arab emirates
Expatriates in the united arab emiratesjaleelshahid
 
Presentation: Risk minimisation in the Australian context
Presentation: Risk minimisation in the Australian contextPresentation: Risk minimisation in the Australian context
Presentation: Risk minimisation in the Australian contextTGA Australia
 
Workplace Stress Risk Management
Workplace Stress Risk ManagementWorkplace Stress Risk Management
Workplace Stress Risk ManagementDavid Alman
 
HPE Presentation on Internet of Things at IoT World 2016 - Dubai
HPE Presentation on Internet of Things at IoT World 2016 - DubaiHPE Presentation on Internet of Things at IoT World 2016 - Dubai
HPE Presentation on Internet of Things at IoT World 2016 - DubaiAlpha Data
 
Dubai SME's - Issues & Challenges
Dubai SME's - Issues & ChallengesDubai SME's - Issues & Challenges
Dubai SME's - Issues & ChallengesDubaiChamber
 
IMPACT Event & Destination Management DMC - MICE Presentation 2016
IMPACT Event & Destination Management DMC - MICE Presentation 2016IMPACT Event & Destination Management DMC - MICE Presentation 2016
IMPACT Event & Destination Management DMC - MICE Presentation 2016MICEboard
 
Promoting preventive mitigation of buildings against hurricanes
Promoting preventive mitigation of buildings against hurricanesPromoting preventive mitigation of buildings against hurricanes
Promoting preventive mitigation of buildings against hurricanesBejoy Alduse
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarAviva Spectrum™
 
PetroSync - Project Risk Assessment & Management
PetroSync - Project Risk Assessment & ManagementPetroSync - Project Risk Assessment & Management
PetroSync - Project Risk Assessment & ManagementPetroSync
 
Introduction DM 211 Project Development and Management
Introduction DM 211 Project Development and ManagementIntroduction DM 211 Project Development and Management
Introduction DM 211 Project Development and ManagementJo Balucanag - Bitonio
 
Human Health Risk Assessment Training Module
Human Health Risk Assessment Training ModuleHuman Health Risk Assessment Training Module
Human Health Risk Assessment Training ModuleJason Suwala
 
risk assessment
risk assessmentrisk assessment
risk assessmentDr. Vartika Srivastava
 
Burj Khalifa
Burj KhalifaBurj Khalifa
Burj Khalifakhaledalshami93
 
Anti-Money Laundering (AML) Risk Assessment Process
Anti-Money Laundering (AML) Risk Assessment ProcessAnti-Money Laundering (AML) Risk Assessment Process
Anti-Money Laundering (AML) Risk Assessment Processaccenture
 
Dubai Learnings Presentation Final
Dubai Learnings Presentation FinalDubai Learnings Presentation Final
Dubai Learnings Presentation FinalDrew Lein
 
Brief Introduction to UAE
Brief Introduction to UAEBrief Introduction to UAE
Brief Introduction to UAEAshish Malhotra
 
Strategic IT Governance & IT Security Managament for Executives
Strategic IT Governance & IT Security Managament for ExecutivesStrategic IT Governance & IT Security Managament for Executives
Strategic IT Governance & IT Security Managament for ExecutivesSoftware Park Thailand
 
Region 8 Aviation Safety Newsletter
Region 8 Aviation Safety NewsletterRegion 8 Aviation Safety Newsletter
Region 8 Aviation Safety Newsletterbutest
 

Weitere ähnliche Inhalte

Andere mochten auch

Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk AssessmentSteve Bishop
 
Risk Presentation
Risk PresentationRisk Presentation
Risk PresentationKathy_67
 
Risk Assessment (Project: Cosmic Constructor)
Risk Assessment (Project: Cosmic Constructor)Risk Assessment (Project: Cosmic Constructor)
Risk Assessment (Project: Cosmic Constructor)MagicalPotato9000
 
Dubai Chamber Annual Report 2014
Dubai Chamber Annual Report 2014Dubai Chamber Annual Report 2014
Dubai Chamber Annual Report 2014DubaiChamber
 
Expatriates in the united arab emirates
Expatriates in the united arab emiratesExpatriates in the united arab emirates
Expatriates in the united arab emiratesjaleelshahid
 
Presentation: Risk minimisation in the Australian context
Presentation: Risk minimisation in the Australian contextPresentation: Risk minimisation in the Australian context
Presentation: Risk minimisation in the Australian contextTGA Australia
 
Workplace Stress Risk Management
Workplace Stress Risk ManagementWorkplace Stress Risk Management
Workplace Stress Risk ManagementDavid Alman
 
HPE Presentation on Internet of Things at IoT World 2016 - Dubai
HPE Presentation on Internet of Things at IoT World 2016 - DubaiHPE Presentation on Internet of Things at IoT World 2016 - Dubai
HPE Presentation on Internet of Things at IoT World 2016 - DubaiAlpha Data
 
Dubai SME's - Issues & Challenges
Dubai SME's - Issues & ChallengesDubai SME's - Issues & Challenges
Dubai SME's - Issues & ChallengesDubaiChamber
 
IMPACT Event & Destination Management DMC - MICE Presentation 2016
IMPACT Event & Destination Management DMC - MICE Presentation 2016IMPACT Event & Destination Management DMC - MICE Presentation 2016
IMPACT Event & Destination Management DMC - MICE Presentation 2016MICEboard
 
Promoting preventive mitigation of buildings against hurricanes
Promoting preventive mitigation of buildings against hurricanesPromoting preventive mitigation of buildings against hurricanes
Promoting preventive mitigation of buildings against hurricanesBejoy Alduse
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarAviva Spectrum™
 
PetroSync - Project Risk Assessment & Management
PetroSync - Project Risk Assessment & ManagementPetroSync - Project Risk Assessment & Management
PetroSync - Project Risk Assessment & ManagementPetroSync
 
Introduction DM 211 Project Development and Management
Introduction DM 211 Project Development and ManagementIntroduction DM 211 Project Development and Management
Introduction DM 211 Project Development and ManagementJo Balucanag - Bitonio
 
Human Health Risk Assessment Training Module
Human Health Risk Assessment Training ModuleHuman Health Risk Assessment Training Module
Human Health Risk Assessment Training ModuleJason Suwala
 
Anti-Money Laundering (AML) Risk Assessment Process
Anti-Money Laundering (AML) Risk Assessment ProcessAnti-Money Laundering (AML) Risk Assessment Process
Anti-Money Laundering (AML) Risk Assessment Processaccenture
 
Dubai Learnings Presentation Final
Dubai Learnings Presentation FinalDubai Learnings Presentation Final
Dubai Learnings Presentation FinalDrew Lein
 
Brief Introduction to UAE
Brief Introduction to UAEBrief Introduction to UAE
Brief Introduction to UAEAshish Malhotra
 

Andere mochten auch (20)

Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 
Risk Presentation
Risk PresentationRisk Presentation
Risk Presentation
 
Risk Assessment (Project: Cosmic Constructor)
Risk Assessment (Project: Cosmic Constructor)Risk Assessment (Project: Cosmic Constructor)
Risk Assessment (Project: Cosmic Constructor)
 
Dubai Chamber Annual Report 2014
Dubai Chamber Annual Report 2014Dubai Chamber Annual Report 2014
Dubai Chamber Annual Report 2014
 
Expatriates in the united arab emirates
Expatriates in the united arab emiratesExpatriates in the united arab emirates
Expatriates in the united arab emirates
 
Presentation: Risk minimisation in the Australian context
Presentation: Risk minimisation in the Australian contextPresentation: Risk minimisation in the Australian context
Presentation: Risk minimisation in the Australian context
 
Workplace Stress Risk Management
Workplace Stress Risk ManagementWorkplace Stress Risk Management
Workplace Stress Risk Management
 
HPE Presentation on Internet of Things at IoT World 2016 - Dubai
HPE Presentation on Internet of Things at IoT World 2016 - DubaiHPE Presentation on Internet of Things at IoT World 2016 - Dubai
HPE Presentation on Internet of Things at IoT World 2016 - Dubai
 
Dubai SME's - Issues & Challenges
Dubai SME's - Issues & ChallengesDubai SME's - Issues & Challenges
Dubai SME's - Issues & Challenges
 
IMPACT Event & Destination Management DMC - MICE Presentation 2016
IMPACT Event & Destination Management DMC - MICE Presentation 2016IMPACT Event & Destination Management DMC - MICE Presentation 2016
IMPACT Event & Destination Management DMC - MICE Presentation 2016
 
Promoting preventive mitigation of buildings against hurricanes
Promoting preventive mitigation of buildings against hurricanesPromoting preventive mitigation of buildings against hurricanes
Promoting preventive mitigation of buildings against hurricanes
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
 
PetroSync - Project Risk Assessment & Management
PetroSync - Project Risk Assessment & ManagementPetroSync - Project Risk Assessment & Management
PetroSync - Project Risk Assessment & Management
 
Introduction DM 211 Project Development and Management
Introduction DM 211 Project Development and ManagementIntroduction DM 211 Project Development and Management
Introduction DM 211 Project Development and Management
 
Human Health Risk Assessment Training Module
Human Health Risk Assessment Training ModuleHuman Health Risk Assessment Training Module
Human Health Risk Assessment Training Module
 
risk assessment
risk assessmentrisk assessment
risk assessment
 
Burj Khalifa
Burj KhalifaBurj Khalifa
Burj Khalifa
 
Anti-Money Laundering (AML) Risk Assessment Process
Anti-Money Laundering (AML) Risk Assessment ProcessAnti-Money Laundering (AML) Risk Assessment Process
Anti-Money Laundering (AML) Risk Assessment Process
 
Dubai Learnings Presentation Final
Dubai Learnings Presentation FinalDubai Learnings Presentation Final
Dubai Learnings Presentation Final
 
Brief Introduction to UAE
Brief Introduction to UAEBrief Introduction to UAE
Brief Introduction to UAE
 

Ähnlich wie Project risk assessment presentation feb 2013

Strategic IT Governance & IT Security Managament for Executives
Strategic IT Governance & IT Security Managament for ExecutivesStrategic IT Governance & IT Security Managament for Executives
Strategic IT Governance & IT Security Managament for ExecutivesSoftware Park Thailand
 
Region 8 Aviation Safety Newsletter
Region 8 Aviation Safety NewsletterRegion 8 Aviation Safety Newsletter
Region 8 Aviation Safety Newsletterbutest
 
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohantyInfo sec 2011 julen c mohanty
Info sec 2011 julen c mohantyJulen Mohanty
 
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohantyInfo sec 2011 julen c mohanty
Info sec 2011 julen c mohantyJulen Mohanty
 
Build a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management ProgramBuild a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management ProgramInfo-Tech Research Group
 
Lee White resume
Lee White resumeLee White resume
Lee White resumeLee White
 
Big data and the challenge of extreme information
Big data and the challenge of extreme informationBig data and the challenge of extreme information
Big data and the challenge of extreme informationJohn Mancini
 
Symantec reportinternetsecurity
Symantec reportinternetsecuritySymantec reportinternetsecurity
Symantec reportinternetsecurityAchraf Chtibi
 
ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...prosenzw69
 
Stephen Ulanoski - GE
Stephen Ulanoski - GEStephen Ulanoski - GE
Stephen Ulanoski - GEBen Allen
 
Thomas P. DeLaine Jr.
Thomas P. DeLaine Jr.Thomas P. DeLaine Jr.
Thomas P. DeLaine Jr.tjdelaine
 
Thomas P DeLaine Jr Resume
Thomas P DeLaine Jr ResumeThomas P DeLaine Jr Resume
Thomas P DeLaine Jr Resumetjdelaine
 
Thomas P DeLine Jr Resume
Thomas P DeLine Jr ResumeThomas P DeLine Jr Resume
Thomas P DeLine Jr Resumetjdelaine
 
Resume - Timothy Nolan 8-5-2015
Resume - Timothy Nolan 8-5-2015Resume - Timothy Nolan 8-5-2015
Resume - Timothy Nolan 8-5-2015Timothy Nolan
 
IT Optimization & Risk Management
IT Optimization & Risk ManagementIT Optimization & Risk Management
IT Optimization & Risk ManagementJeromie Jackson
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governancedigitallibrary
 

Ähnlich wie Project risk assessment presentation feb 2013 (20)

Strategic IT Governance & IT Security Managament for Executives
Strategic IT Governance & IT Security Managament for ExecutivesStrategic IT Governance & IT Security Managament for Executives
Strategic IT Governance & IT Security Managament for Executives
 
Region 8 Aviation Safety Newsletter
Region 8 Aviation Safety NewsletterRegion 8 Aviation Safety Newsletter
Region 8 Aviation Safety Newsletter
 
Cobit presentation
Cobit presentationCobit presentation
Cobit presentation
 
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohantyInfo sec 2011 julen c mohanty
Info sec 2011 julen c mohanty
 
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohantyInfo sec 2011 julen c mohanty
Info sec 2011 julen c mohanty
 
Build a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management ProgramBuild a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management Program
 
Lee White resume
Lee White resumeLee White resume
Lee White resume
 
Big data and the challenge of extreme information
Big data and the challenge of extreme informationBig data and the challenge of extreme information
Big data and the challenge of extreme information
 
Symantec reportinternetsecurity
Symantec reportinternetsecuritySymantec reportinternetsecurity
Symantec reportinternetsecurity
 
ERM Presentation
ERM PresentationERM Presentation
ERM Presentation
 
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
 
Gill_Pat.2016.Resume.CISO.1
Gill_Pat.2016.Resume.CISO.1Gill_Pat.2016.Resume.CISO.1
Gill_Pat.2016.Resume.CISO.1
 
Stephen Ulanoski - GE
Stephen Ulanoski - GEStephen Ulanoski - GE
Stephen Ulanoski - GE
 
Thomas P. DeLaine Jr.
Thomas P. DeLaine Jr.Thomas P. DeLaine Jr.
Thomas P. DeLaine Jr.
 
Thomas P DeLaine Jr Resume
Thomas P DeLaine Jr ResumeThomas P DeLaine Jr Resume
Thomas P DeLaine Jr Resume
 
Thomas P DeLine Jr Resume
Thomas P DeLine Jr ResumeThomas P DeLine Jr Resume
Thomas P DeLine Jr Resume
 
Resume - Timothy Nolan 8-5-2015
Resume - Timothy Nolan 8-5-2015Resume - Timothy Nolan 8-5-2015
Resume - Timothy Nolan 8-5-2015
 
IT Optimization & Risk Management
IT Optimization & Risk ManagementIT Optimization & Risk Management
IT Optimization & Risk Management
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governance
 
CFordham Marymount Career Workshop
CFordham Marymount Career WorkshopCFordham Marymount Career Workshop
CFordham Marymount Career Workshop
 

Project risk assessment presentation feb 2013

  • 1. Project Risk Assessment © Thomas E. Festing – 2013 1
  • 2. A Little Background – Tom Festing State of Ohio: 11 Years In The US Army - Captain: Office of Budget & Management Communications & Automation Internal Audit / IT General Controls Banking & Finance Risk Assessments /Consulting support Have driven an Abrams M1 Tank (mighty fine) Things, That If I Told You – 10 Years Internal Audit/Risk Management : JP Morgan Chase & Prudential Home Mortgage Someone “May Come And Take Us Both Away”! Risk assessments, Privacy, ITGC reviews Education/Certifications: Infrastructure / Data Center Technology CISA/CRISC BSBA In Accounting (Back When Dirt Was New) 1 Year CIO: Been Working On A Masters Since 1981 Non-traditional Credit Card Industry “Owned” IT functions 35 Years Married: Wife & Two Children 10 Years Public Accounting: Moved 17 times in 35 years 7 years with Arthur Andersen Two Dogs IT audit and consulting support 2 year old Grandson IT Risk Assessment & Governance © Thomas E. Festing – 2013 2
  • 3. This is not a “technology” presentation …. It is from a “business risk” perspective! Today’s objective … but to make you is not to make aware of a risk-based you a “guru” … approach! © Thomas E. Festing – 2013 3
  • 4. Project Risk Assessment • Why are we here? • Definition – Risk Assessment • The Business Problem – Problem – Solution – Objective/Approach • The Process – Frame It – Collect It – Analyze It – Tell All • Life Cycle • Questions/Comments © Thomas E. Festing – 2013 4
  • 5. Why Are We Here Today? Risk professionals are confronted with developing processes that integrate with holistic risk management strategy complementing Enterprise Risk management, IT risk, privacy, and NIST 800-30 Risk Assessments. This session provides an example of a repeatable survey-based process that aids in assessing the business risks associated with managing large/complex projects. These risks transcend traditional functionality and code testing - expanding to potential business weaknesses within the areas of project governance, management, business requirements, design /architecture, implementation, and security. Review an approach that provides quantifiable results supporting stratification of potential issues by organization demographics - including business functions, position, experience, and participation at both a business and IT levels. Review deliverable examples that provide benchmark data that can be used by senior management and project sponsors to support accountability and follow-on assessments to evaluate changes in project communications and execution. © Thomas E. Festing – 2013 5
  • 6. The Business Solution What do you really want! Proactively identify areas where large project management may be at risk. Stratify possible risk areas based on demographics – who is “in sync” and who is “out”. Identify areas that can be adjusted to help ensure success. Understand how to make it easy! What will you get! Explanation/walkthrough of process. Copy of sample survey questions. Description of a “tool”. CPE credits … and © Thomas E. Festing – 2013 ME! 6
  • 7. Extract - Holistic Risk Assessment Strategy Enterprise Risk Management IT Risk Assessment NIST 800-30 G ov na er nce Se cur ity Ma na g me nt e Monitoring D a ta Ma na g me nt e Func ti na lity o Re cove rability/A v ila bility a R edu ndan t P i ci es and ol P orman ce erf Tran sact i n o D t A vai l abi l i y/ aa t B / R & R cove ry CD e P erson nel V en dor M anage m nt e C t ol C abi l t i s on r ap i e E ase of U se E xposure Pop ul at i n o E xt r al Faci ng e n User S curi t A dm. e y S uri y Moni t ori ng ec t D t P r va cy a a i C han ge A t vi t c i y A / el easeL evel ge R In vent ory P r ced ures o Moni t ori g n Mon i ori ng t I m ort ance p Archi t ect re u S eed p Suf f ci ent i C f den t on i No/L ow Ex posure S t on g r Exp er t Techn i al Supp ort c NoE xt rna l Faci ng e C t al i zed en r I n Pl ace Est abl i h ed s T racks D et ai A i vi y l ct t Publ i c D at a C urrent Lo w Lo w I m act p Lo w C ur r n t e I mport ant E xi t s s Li i ed C onf denc e mt i Moder at eE xposu r e M r i nal ag Some E per ence x i D epar t en t l m a I t er nal E xposu r n e M xed E nvi onment i r A d- Hoc A - oc dH P er f l U ser s ow u I t er nal n I mpor t n t a Medi m u Medi um Med i m u P ti l l ar a y C t mer C i i cal us o rt D ef i i ent - N ne c o No C nf i ence o d Hi h E xposu r g e Weak G eral U en ser "Everyo ne" Ex t rna l Exp osure e Decen t al i zed r D es N ot E xi t o s D oes N t Exi st o D es N ot Ex i t o s Pri vat e Hi ghl y I po r an t m t Hi h g Hi gh Lo w Hi gh Mi si on C t cal s ri i Optimized Po l ci esan d i Pe r orman ce f T r nsact i n a o D at aA vai l abi l t y/ i R edu ndan t BC / R & R ecove r D y Personn el V en dor M anage m nt e C t ol C abi l t i s on r ap i e E ase of U se E xposure Pop ul at i n o E xt r al Faci ng e n U r Secu ri y A m. se t d Se curi y Moni t ori g t n Dat aP r vacy i C han ge A i vi y ct t A / el easeL evel ge R In vent ory Procedu res Mon i ori ng t M oni t r ng oi Import ance Archi t ect re u Sp eed 3 2 2 2 9 3 2 2 2 2 2 9 3 5 2 3 2 6 5 9 5 4 5 9 9 9 9 5 4 9 3 5 5 5 9 10 2 5 2 2 9 2 2 5 5 2 2 9 5 2 2 3 9 10 5 2 2 3 9 9 2 2 5 2 2 9 3 5 2 3 2 10 Risk Environment 5 10 2 9 9 9 9 2 6 3 9 9 5 8 10 3 5 10 5 9 6 5 5 5 2 5 5 2 2 9 3 8 3 3 2 10 5 9 9 2 6 9 9 9 2 8 2 9 3 5 2 3 2 6 5 6 2 2 7 6 2 6 5 3 2 9 3 5 2 3 2 10 Preparing For Ris k As s es s ment (U nders tand) 6 10 10 3 9 9 2 6 9 6 9 9 3 3 10 3 5 10 3 2 5 5 7 6 3 2 5 2 8 9 3 5 2 3 2 10 5 10 10 1 5 4 5 2 2 2 10 10 7 5 2 3 5 10 Execute Audit 5 5 2 2 9 9 5 5 2 2 5 9 3 5 2 3 2 10 5 9 2 2 7 5 5 5 2 2 5 9 3 5 5 3 2 10 Identify Threat 3 5 2 5 9 9 9 5 5 9 9 9 5 2 5 3 2 10 5 5 2 2 3 2 9 5 2 2 2 9 3 5 2 3 2 10 Plan/Scope 5 9 5 2 2 10 10 5 7 5 2 9 3 5 2 3 2 10 Communications & Information Sharing (Deliverables ) Risk Assessment 5 9 5 2 2 2 1 5 2 5 2 9 3 5 2 3 2 10 Identify Vulnerabilities / Predis pos ing Maintaining Ris k As s es s ment (Life Cycle) 5 5 5 3 5 10 10 5 5 5 Conditions 2 9 3 5 2 3 2 6 6 10 10 6 2 9 9 9 9 9 6 9 3 5 3 3 5 10 5 5 9 5 9 2 2 5 6 2 2 2 3 2 2 5 2 5 5 5 9 5 9 2 2 5 2 2 2 2 3 2 2 5 2 5 5 10 10 5 5 5 9 9 8 3 10 10 9 5 2 3 5 10 Determine Likelihood of Occurrence IT Ris k As s es s ment Hi Determine Impact Control Effectiveness gh 1 1 1 3 3 3 1 1 Determine Ris k 3 3 1 1 3 3 Regulatory Availability Efficiency 1 3 1 1 3 3 Likelihood 1 3 1 3 1 3 1 3 1 3 1 3 1 3 L o H w i Impact g h IT Governance Focus Enterprise Risk Mgmt Focus • Assess IT technology risk drives Strategy • Regulatory requirement Governance • Creating A Multi-Year Audit Plan • Identifying security threats/ likelihood/ impact • Technology device/process focus • Business focus Focus • Regulatory requirements Focus GOVERNANCE APPLICATION • Data Privacy • Large/complex projects STORAGE/ • Provides quantifiable TRANSIT REMOVABLE analysis stratifying key MEDIA Common Linkage governance areas REPORTS Linkage to ERM Project Risk Assessments Privacy Managing Change © Thomas E. Festing – 2013 7
  • 8. Risk Assessment A Risk Assessment is a logical first step in a methodical risk management process ... that provides a framework for creating a quantifiable or qualitative value of the risk ... linking to threat sources and vulnerabilities … supporting determining the inherent likelihood and impact …. that could hinder an organization from attaining its business goals and objectives in an efficient, effective, and controlled manner – be it process, technology, people, or vendor generated. © Thomas E. Festing – 2013 8
  • 9. Project Risk Assessment Process 9 Thomas E. Festing – 2013
  • 10. Project Risk Assessment Process Ready? 10 Thomas E. Festing – 2013
  • 11. Project Risk Assessment – New Agenda Nope… I used to think that 90% was all about the journey – and thought everyone was excited about the trek as I was. The end was just the conclusion of the “fun stuff”. Well – its not. You need to see what’s at the end so you can see if the 90% is worth the 10%. It also allows you to see why the path is not “easy”. So here’s the modified agenda. © Thomas E. Festing – 2013 11
  • 12. Project Risk Assessment – New Agenda • A “Peek” To End Deliverables What do I get! • Definition – Risk Assessment • The Business Problem Why do I even want – Problem to take this trip! – Solution – Objective/Approach What will I take the trip in … is it sound! • The Process 10% - End Deliverable – Tell All – Frame It – Collect It 90% - Fun Stuff – Analyze It – Tell All 10% - End Deliverable .. recap • Life Cycle Sustain … don’t make the same trip twice • Questions/Comments How many CPE did I get for this? © Thomas E. Festing – 2013 12
  • 13. THE PEEK © Thomas E. Festing – 2013 13
  • 14. The Peek Wouldn’t it make more sense to be able to get a peek at what we will “get … like: Define critical project risk and demographic areas! Strategy for collecting and analyzing data! Understanding what/how to communicate results! How you can track improvements. Understand how this links to ERM and other risk assessments! May be handy – especially if we run out of time …… © Thomas E. Festing – 2013 14
  • 15. The Business Problem Large projects tend to fail. Need to find a way to identify potential risk areas. Need to find a way to track improvements. © Thomas E. Festing – 2013 15
  • 16. Critical Risk Areas Management Governance Need a common language. Program Management Use a limited number of broad-based “business relevant” control areas. Business Requirements They do need to link to standard Design & Development control areas so they are “defendable” and tie to audit & ERM. Implementation/Operations Build standard survey questions for each “Control Area”. Information Security End results - 6 Categories / 22 Sub-areas / 47 Questions. © Thomas E. Festing – 2013 16
  • 17. Collect / Analyze Data By Demographics Stratifying & consolidating data by demographics provides a way to gauge responses and provide different perspectives. Gaining input across different “levels” and organizational groups helps identify who is or is not ……… © Thomas E. Festing – 2013 17
  • 18. Collect / Analyze Data By Demographics Functional Need to: Project Involvement Area/Responsibility Identify demographics Executive Leadership Collect input with anonymity Core Team Member Line Of Business Keeps it relevant & limited Subject Matter Expert Information Technology Example demographics …. Tester Vendor/Consultant None Position Years Experience Executive Management 1-3 Years Senior Managers/ Use On-Line Survey 3-6 Years Directors Supervisors 6-9 Years Staff > 9 Years © Thomas E. Festing – 2013 18
  • 19. Collect & Analyze Data Success is not driven by slogans, mandates, and t-shirts – but by the support of the diversified team © Thomas E. Festing – 2013 19
  • 20. Collect & Analyze Data Data Collection Import To Core By Critical Risk Areas Risk Engine (6 Categories / 22 Sub-areas) Use On-Line Survey Management Governance (Survey Monkey) Program Management Business Requirements Design & Development CORE RISK ENGINE Implementation/Operations Information Security By Demographics & 47 specific Question “Crunch” Data © Thomas E. Festing – 2013 20
  • 21. Communicate To Management A way to communicate Overall Top / so management can Bottom 5 areas “size” and “track”. Baseline 1 i 1 H 9 h g 1 9 6 1 2 5 0 4 1 3 3 8 Future Point In Time 2 1 7 4 4 1 2 6 1 1 Impact Project Success 1 2 5 2 6 2 1 5 1 H h g 7 i 7 9 1 Detail By Question 1 4 3 0 8 5 8 1 7 9 2 1 2 0 2 Area/Demographics 1 Impact Project Success 1 6 1 1 0 8 3 5 2 1 w o 1 L 2 1 4 9 8 7 6 5 4 3 2 1 1 1 Extremely Confidence Level Not Confident 6 0 Confident 1 2 7 Risk Ares 1 3 2 0 1 1 8 9 Heat Map w o L Extremely Confidence Level Not Confident Confident © Thomas E. Festing – 2013 21
  • 22. Communicate To Management GOAL: CONCLUSION - RECOMMENDATION - PRIORITIZATION Significant areas indicated a protracted lack of confidence. Area average – except Information Security – were lower at this milestone than the previous two assessments. © Thomas E. Festing – 2013 22
  • 23. Coordinated ERM and Risk Assessments LIFE CYCLE 6 OTHER RISK BUSINESS AREAS 8 ASSESSMENTS Legal/Regulatory Various Risk Reports Project Risk Risk Assessment Various Risk Reports Assessment Various Risk Reports 1 DR/BC Business Impact Assessment CORE RISK ENGINE Enterprise Risk Management (ERM) Business Process Assessment 2 “What Privacy Risk If” Governance/Process Assessment 5 Preventative/Logical 6 PRIORITIZATION Detective/Monitoring Threat Assessment RESIDUAL/INHERENT RISK Change Management NIST 800-30 4 TECHNOLOGY CHANGE RISK TOLERANCE Availability/Data Management COMMON RISK TECHNOLOGY AREAS Business Process DRIVERS Risk Driver IT Risk Assessment Technology Device 3 Audit Plan IT Business Plan © Thomas E. Festing – 2013 23
  • 24. Now the detail fun journey for the “why” and “how”! PEEK END © Thomas E. Festing – 2013 24
  • 25. The Business Problem © Thomas E. Festing – 2013 25
  • 26. Risk Assessments For years we have convinced ourselves that all we needed to do was carry forward our audit approach and strategy from year to year – or just focus on NIST. We acknowledged that there was always “change”, and some level of “business risk” that management would accept. After all, what you didn’t know couldn’t hurt you! …or is it “If it doesn’t kill you – it makes you stronger”? No one disputes that project risk increases based on the project size and duration. Today – we have traditionally built structured risk-based approaches based on a combination of financial risk management, technology risk assessment framework, and risk-based audit scoping that works in concert with the overall enterprise risk management model to guide audit’s assurance of “reasonable” levels of residual risk. © Thomas E. Festing – 2013 26
  • 27. The Business Problem Organizations are confronted with having to develop efficient, effective, and repeatable assessment tools to aid in assessing the business risks with managing large enterprise projects. Pressure is placed on more than just functionality and code testing, but now expands to where to focus limited resources to target potential weaknesses within the areas of project: Governance, Project Management, Business Requirements, Design/Architecture, Implementation, and Security. Pressures are being applied by Audit Committees and Boards to understand cost / benefits and what proactive steps are being taken to reduce industry “failure” rates! © Thomas E. Festing – 2013 27
  • 28. The Business Problem 2012 Gartner – Survey “.. While larger projects are more likely to fail than smaller projects, around half of all project failures, irrespective of project size, were put down to functionality issues and substantial delays.” “.. Failure rate of IT projects with budgets exceeding $1 million was found to be almost 50% higher than for projects … below $350,000.” “.. Smaller projects experienced a one-third lower failure rate than large projects . keep small … not exceeding six months in duration …” Specifically identified: Cost: Not identifying budget variances/ overruns early. Changes in scope – with related impact to cost vs. budget. Functionality: Not capturing business functionality expectations. Sounds like project Quality. management & Infrequent project status meetings. Governance to me! Misalignment with business strategy. Late! © Thomas E. Festing – 2013 28
  • 29. The Real Business Solution This session provides an example approach of a repeatable survey-based process that: Provides quantifiable analysis techniques gained by evaluating input across demographic cross sections by: • Functions, • Position, • Experience, and • Participation at both a business and IT levels. Provides quantifiable results support stratification of potential issues both by project area and organization layer. Delivers benchmark data to support: • Audit focus during the project. • Follow-on assessments to evaluate if changes in project communications and execution are achieving the desired results. © Thomas E. Festing – 2013 29