Week 6 Flashcards
(112 cards)
1
Q
3 Criteria For a Mature Framework
A
Maturity Models
Self-Assessment
Alternative to Maturity Models
2
Q
What are maturity models used for
A
To assess the performance of risk management frameworks
3
Q
How do Firms rate their design and
implementation of maturity models
A
4- or 5- point scale
4
Q
How can Firms self-assess maturity
A
based on their objectives, and don’t need to aim for “expert” in all areas
5
Q
What can act as an alternative to Maturity Models
A
A list of quality criteria for each part of the risk management framework
6
Q
Key Criteria to assess ORM quality (RAKI B)
A
- risk assessment
- Action plans
- KRI
- Incident Data
- benchmarks
7
Q
How to Demonstrate the Value of ORM
A
Challenges - Managers struggle to prove their work value
Strategy - demonstrate tangible benefits.
Approach - Focus on improvements
8
Q
What is A Risk-Based Approach to ORM
A
Focus on Top Risks First
Operational Risk Steady State
Address pressing risks by firm’s activities before day-to-day issues
9
Q
how long does it take to reach BAU in operational risk
A
Years
10
Q
The worst outcome for a risk manager Deadly sin
A
to get pushed back or ignored and so become irrelevant to the organization
11
Q
Good outcome for risk manager, golden rule
A
accepted and respected, demonstrate the value of better risk management and individual benefits to the teams
12
Q
what are the effects of Reduced Large Losses
A
Business Stability
Metrics
13
Q
What are the Metrics for reduced large losses and business stability
A
-Tail risk losses
- Large incident count
- P+L volatility
- Share price volatility vs equity market
14
Q
How does good ORM increase productivity
A
Resource Allocation
Project Management
Strategic Advice
14
Q
How can you build a business case for ORM
A
Evidence benefits
MEtrics
14
Q
what metrics can help build a business towards
A
- Success rate of internal projects.
- Trends in cost/income ratio.
- Operational losses in new investments
15
Q
ORM maturity framework assessment criteria
A
incident data collection
risk reporting and feedback
risk assessment
16
Q
Best practice for ORM
A
Gain acceptance for access to info and incidents.
Demonstrate benefits to business teams
Focus on top risks
17
Q
Seven ORM Priorities for Starter Firms
A
Firm-wide Screening
Reporting and Action Plans
IT ORM Solution
Action Plan
Risk Training
Risk Taxonomy
BAU
18
Q
WHAT IS FIRM WIDE SCREENING
A
Identify high-risk areas through top-down risk assessment
19
Q
what does firm wide screening focus on
A
areas with high money flows and transaction volumes.
20
Q
what is a risk taxonomy
A
Categorize risks, causes, impacts, and
controls to enable effective risk assessment.
21
Q
when seeking orm acceptance from managers, how should this be done
A
Focus on demonstrating the value of
risk management, not just compliance
22
Q
what must be done to demonstrate the value of orm
A
Build a business case for ORM
23
what value does orm have past compliance
ORM leads to better decision-making and business performance
24
3 Key Business Benefits of orm
* Reduced losses improve stability and profitability.
* Cost-benefit analysis ensures controls are worth the investment.
* Increased productivity frees resources for productive work.
25
what are the priotiy areas of a risk based approach
- Back-office, IT, finance functions.
- High transaction volumes
26
How is a risk based approach implemented
Address top risks first before rolling out the
ORM framework across departments
26
when should orm software be considered
only when ORM has reached a steady state.
27
how should orm systems be integrated
Ensure it integrates with existing systems and avoids redundant data capture
28
what is the importance of project risk management
ensures projects are completed on time, within budget, and to desired quality
28
how can you embed continuous improvement in ORM
Feedback loop
29
what standards must orm align with
ISO 31000 and COSO ERM frameworks
30
how can a proactive approach be taken on regulatory compliance
Focus on good risk management practices
rather than mere regulatory adherence
31
what is the objective of project risk management
minimize risks to project outcomes and maximize opportunities
31
what does the project team typically manage
time, budget, and delivery quality risks
31
what is Project risk management
Identifying, assessing, and controlling risks throughout a project to ensure successful
completion.
32
Second Stage of Involvement of the Risk Function in Project Management
Project Life: Monitoring and Risk Update
33
what type of approach on project risk ratings ensures efficient resource allocation.
a tailored - approach
33
what is Budget as Proxy technique in project risk rating
Budget reflects project size/commitment, rated relative to EBIT or in currency
33
what does the risk function oversee
execution and project-related risks
34
what should The risk function focus on
larger, riskier projects
34
who are Regular reports shared with
all stakeholders, including the risk function
35
how are smaler projects managed
by following general risk management policies.
35
3 Stages of Involvement of the Risk Function
initial, project life, project closure
36
Common Causes of Project Failures
- invalid bus. case
- quality
- unclear outcomes
- commnication
- direction
- cost estimation
- planning
- control
36
Requirements Before Project Approval, from Risk Management
- Objectives
- Budget + Cost-benefit
- Impact
- Risks + mitigation
- Reporting
- Prject Manager
36
what must they send regular reports on
execution risks and project risks
37
what Additional Risk Criteria can rate project risk
Customers ,regulation , and reputation
37
Risk based rule for project leadership
- Fully dedicated (100%) - proffesssional and experienced, important projects
- Part time dedicated (50%) - relevant expereience, important on complex projects
- Internal, non-specialised for non important prjects
37
how often should risk identification and assessment workshops be with project and risk teams
quarterly or six-monthly
38
how is sophisticated risk rated
score out of 5, 5 highest, 1 lowest risk
38
Risk rating in Smaller vs. Larger Organizations
Smaller use simple rating -less involvement.
Larger have detailed ratings and closer
collaboration on critical projects.
38
How does Simple Project Rating rate risk of projects
budget, process, people, and assets impacted.
39
Assets and People Impact risk rating technique
% of assets or people affected
39
When using Simple Project Rating, how is the final rating decided
The highest rating defines the overall project rating.
39
What is Critical Process Impact rating
Projects are critical if they affect critical
processes (Yes/No)
40
what happens in the initial stage of risk identifcation and assessment
risk identification and assessment workshop
40
Simple Project Rating Criteria
Budget, Impact on critical processes Y/N, % of poeple/assets impacted
40
what does RCSA do
systematically identify and assess risks
40
how to improve timeliness of projects
removing dependancies, and dependeancy paths
41
what does Systematic debriefing help to avoid
past mistakes and while leveraging
success
41
Role of the Risk Function:
prompt use of a lessons-learned database.
focus on larger, riskier projects.
41
what do project portfolio views display
Interdependencies, path dependancies, resource management
41
when do the risk function get involved
critical or important projects.
* Involved for project scoping, budgeting, supporting risk identification and assessment.
41
3 types of Risk Rating for Projects
Simple - budget, process, impact
Sophisticated - customer, regulatory, rep impact
Risk-Based -alocate resources based on rating
42
what happens after project closure
systematic reviews of project
deliverables and quality.
42
what database gets updated after project closure
database of lessons learned to
avoid repeating mistakes and to replicate success
42
KRIs for Projects
Project Info
Bus case + mitigation
Residual risk
Project Mgmt Risk
42
what does Project Reporting focus on
time, budget, and quality of deliverables
43
How are KRIs for Project Management tracked
RAG Rating
44
what are Information Security Risks
threats to confidentiality, and availability of data : cyber risks, data breaches, and physical loss
45
importance of Information Security Risks
prevents financial losses, reputational damage, and regulatory penalties
46
objective of Information Security Risks
Implementing robust security measures to protect sensitive information
47
4 Types of Information Security Incidents
Cyber, Physical, Internal, External
48
Cyber risks
Hacking, viruses , phishing
49
Internal
misconduct, mishandled exits with sensitive information
49
Physical
Theft, social engineering
49
External
Third-party failures, system disruptions
50
what does Reputational Damage Vary based on
brand recognition
50
ISO/IEC 27001: 2013
widely recognized information security
standard offering general guidance
51
what does ISO Certification act as, what is it limited by
Acts as an evaluation framework, but does
not offer detailed, implementable steps.
52
purpose of Information Asset Inventory
identify and categorize information assets for better risk management
53
4 categories of Information Asset Inventory
* Highly Confidential
* Confidential
* Internal
* Public
54
3 steps to makign a Information Asset Inventory
*Identify business-critical assets.
* Determine confidentiality levels.
* Assign protection priorities
55
2 steps of Risk Assessment Process
Surveys and RCSAs
Scenario Analysis
56
How to Model potential incidents as part of scenario analysis
fault trees and Bayesian networks
57
How to carry out impact estimation as part of scenario analysis
Conduct Monte Carlo simulations
58
Behavioral Controls for Information Security Risks
3
Awareness Campaigns
Rules of Conduct
Monitoring and Sanctions
59
Technical Controls (measures) for Information Security Risks
Preventive - firewalls, encryption, pw
Detective - DLPD, log in monitoring
Mitigating - backups, system redundancies
60
(KRIs) for Information Security
Exposure - spread of sens info/ no. of users w access
Control Failiure - patches + phishing results
Stress- workload, it team vacancies
Casual - employee compliance metrics, lost devices
61
what caused the Equifax Data Breach
External intrusion due to unpatched vulnerability.
62
Result of equifax breach
exposure of 145.5 million customer records.
63
what caused the Facebook and
Cambridge Analytica data breach
Improper data sharing with political consultancy
64
result of the Facebook and
Cambridge Analytica data breach
Led to significant reputational damage and
regulatory scrutiny
65
what standard Provides a framework for
information security management
ISO/IEC 27001
66
four quadrants of risk taxonomy
internal, external, data loss, data theft
67
what is Risk-Based asset Protection
protecting critical assets since fully protecting all data is too costly
68
cybersecurity steps
Identify key assets.
Prioritize protection.
Keep documentation up-to-date.
69
Future Trends in Information Security
ADVANCED THREAT DETECTION: AI and ML
ENHANCED DATA PRIVACY REGULATIONS
INTEGRATED SECURITY SOLUTIONS
70
Purpose of Information Asset Inventory
Prepares for risk assessment and drives mitigation efforts based on asset value.
70
Challenges with Information Asset Inventory
Broad categories/inconsistent classification l
71
How are Tail risk events, like data
breaches modeled
scenario analysis
72
how many layers of preventive controls
are used to calculate joint failure
probabilities
3
73
What generates probability distributions
for scenario analysis
Monte Carlo simulations
74
How is Impact calculated
considering time to detection, data volume affected, and data value
75
what is included for more realistic loss
estimates.
Post-event mitigation (recovery and crisis management)
76
what do Behavioral controls address
human behaviors and fallibility when it comes to handling and protecting information
77
Types of behaviour controls
awareness campaigns, conduct rules, prudence for employees, training, password
management, supervision and sanctions
78
what do behaviour controls apply to
all types of information security risks,
not just cyberattacks.
78
what do technological preventative controls include
system architecture, access, firewalls, encryption, passwords or patching and are essentially directed at external threats
78
what do technological detective controls include
early warnings of data leaks, like DLPD (data
leak prevention and detection)
