Enterprise Risk Management forCommunity Banks

Brian T. O’Hara CISA, CISM, CRISC, CISSPCISO The Mako Group, LLC

btohara@makopro.comhttp://www.linkedin.com/in/brianohara/

Twitter: @brian_t_ohara

The Mako Group, LLC

• IT & Info Sec Auditing• IT Risk Assessments• Security Training• Vulnerability

Assessments• Social Engineering• PCI DSS 3

• FISMA Audits• Penetration Testing• Gap Assessments• SOC 1 and SOC 2• SOX 404• HIPAA• Virtual CISO

The Mako Group, LLC• 1570 Woodward Ave.

Detroit, MI 48266Phone: 313.355.0538 Email: detroit@makopro.com

• 110 West Berry Street - Suite 2400 Fort Wayne, IN 46802 Phone: 260.267.5999 Email: fortwayne@makopro.com

• 8555 River Road - Suite 315 Indianapolis, IN 46240 Phone: 317.941.MAKO (6256)Email: indianapolis@makopro.com

BIO

• CISO of The Mako Group, LLC• ISSA Fellow• Program Chair, CINT Ivy Tech NE• Adjunct Faculty Indiana Tech• CISSP - Certified Info Systems Security Prof.• CISA - Certified Information Systems Auditor • CISM - Certified Information Security Manager• CRISC - Certified Risk Info System Controls

BIO

• CAE of The Mako Group, LLC• CPA• MSA – Masters of Accountancy• ISACA Detroit Chapter• CISA - Certified Information Systems Auditor • Previously ran the Sarbanes-Oxley and FDICIA

programs for Ally Bank

What Is ERM?

• Enterprise Risk Management (“ERM”) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. (http://www.rims.org/erm/pages/WhatisERM.aspx)

ERM Elements?

• Tied to Bank’s Strategic Plan• Chief Risk Officer (Top Down Approach)• Correlations (non-silo)• Target Objectives• Measurable• Focus on Outcomes

ERM Principles

• Not just about Risk Mitigation– It is a management system

• Management Model that leads to action• Unified Approach• Answers Key Questions

Quiz 1

• Who Invented the World Wide Web?

• Tim Berners-Lee

ERM Key Questions

• Do we understand risk across the enterprise?• What is the reward?• Is the risk acceptable?• Is the reward great enough?• Does it link strategies?• Is it supported from the top down?• Are discussions made with input to business as

opposed to protecting lines of business?

Who Is ERM Designed For?

• Community Banks?• Size?• Complexity?• Affordability?• Value Add?

Examples

• Larger Banks• Publicly Traded Companies (SOX)• Service Providers (CORE)

ERM Value?

• Provides a more robust picture of risk• Corrects Silo Risk Mentality• Provides Greater Transparency• Delivers Effective Resource Allocation• Shifts Focus from Reactive to Proactive• Examiner Expectations

Sound ERM

• IT Risks Rolled Up• NO Risk Silos• Integrated with Business Strategy• Provides More Accurate Picture of Tolerance• More Effective Resource Allocation• Proactive v Reactive• Helps Identify Key Controls

Poor ERM

• Risk Silos• Poor View of Overall Risks• Reactive rather than Proactive• Examples– Target– TJ Max– Heartland Payment Processors

Quiz 2

• What was the first commercial web browser?

ERM Frameworks?

• COSO• RIMS• ISO• COBIT

• FFIEC Guidance• Johnson and Johnson• NIST

Risk Management Frameworks?

• CyberSecurity (Exec Order 13636)• NIST• COBIT• COSO• ISO• FFIEC Guidance

Communicating ERM Across Enterprise

• Quantitative v & Qualitative• $ to Risk to Exposure• Opportunities

How To Implement ERM

• Pick a framework• Get top management buy in• Establish Enterprise stakeholders

How to Discuss with Sr. Mgmt

• Cost• Risk• Opportunity

How to Explain

• Quantitative v Qualitative Information

Quiz 3

• Who sent the first official “email” over the internet?

• Mark Tomlinson

When is ERM not a good fit?

• Lack of Sr. Management Buy in• Size and complexity of operations• Too expensive, cost v benefit

ERM Problems

• Lack of single unifying framework• Remains reactive• Discounts insiders (relies on “experts”)• Does not calculate mitigation costs• Fails to rank risk• Lack of academic studies showing

effectiveness

Cybersecurity Framework

• NIST Creation• Fits smaller community banks• Easily tailored and scalable• Encompasses ERM key components• Provides control mappings to standards• Above and beyond examiner expectations• Affordable implementations

The Mako Group’s Approach (Hybrid)

• Guided (organization is the expert)• Holistic• Eclectic• Customized based on organization needs• Based on value added• Built to optimize resource allocation

Conclusions

• ERM is not always a good fit• Can be costly• Can add unforeseen visibility• Can add predictive value• Can still provide guiding principles

Summary

• ERM value still unclear• ERM is a holistic approach• More Complex• More about choosing pieces that work for you• Hybrid approaches using models like

Cybersecurity Framework provides best of both worlds

THANKSBrian T. O’Hara CISA, CISM, CRISC, CISSP

CISO The Mako Group, LLCbtohara@makopro.com

http://www.linkedin.com/in/brianohara/Twitter: @brian_t_ohara