** Part I. Background
1.What is Risk Management, what are the benefits?
2.The Risk Management Framework
* Part II. Risk Management Process
1.Risks vs. Issues vs. Exceptions
2.Establish the Context
3.Assess the Risks
4.Treat the Risks
5.Monitor and Review the Risks
* Part III. Supporting Information
1.Global IT Risk Management Community
2.Risk Management Resources
Risk Management
• The systematic and comprehensive identification and understanding of risk factors and their associated risks, together with a decision making process to implement appropriate controls.
• Aims to maximize potential opportunities, control uncertainties and minimize potential threats, thereby increasing the probability of achieving business objectives.
• Includes the conscious decision to accept risk.
• Is an ongoing (iterative process)
Risk
• A risk is an uncertain future event that could affect the achievement of objectives.
• Is forward-looking (not a current issue)
• Has an element of uncertainty
• Could affect the achievement of objectives.
• Risk can be accepted, threats mitigated (reduced) or transferred, opportunities exploited and contingency plans can be prepared in case the risk (opportunity or threat) actually occurs.
Operational Risk
• A Risk which impacts operational effectiveness or efficiency.
*
3
• Provides a consistent approach across the service and system spectrum, and documents the justification of decisions made in regards to risk and improvement activities.
• Formal Risk Management makes good business sense:
• Reduces total cost of ownership by increasing system quality and customer satisfaction by lowering critical system failures
• Reduces risk to an acceptable level
• Scales improvement activities commensurate with system/service complexity, customer expectations, supplier capabilities, and regulatory requirements
• Incorporates the evaluation of business and regulatory risks
• Focuses support activities where it’s most appropriate
• Improves the visibility of key decisions pertaining to risk
• Mitigates risk to patient safety, product quality, and data integrity
• Optimizes the use of resources and company assets
• Aligns to FDA’s risk based guidance and shareholder expectations
*
4
*Background and purpose
A maturity roadmap provides a way to prioritise and visualise
development activities for Risk Management in your organization.
The initial Maturity Roadmap provides an objective starting point
You have to know where you are, before you can build the roadmap to
where you want to be
A sample roadmap follows.
5
*
6
COSO Framework Compliance Framework Maturity Roadmap
Control Environment Organisation & Culture Organisation & Culture
Ensure effective oversight
Collaboration between Group Risk, Assurance Functions
& IAS
Risk Management embedded within business activities
Senior Stakeholder Engagement
Promote awareness of Risk Management
Effective Risk Networks
Risk Assessment Risk Identification & Assessment Risk Identification & Assessment
Set and Embed Group Risk Appetite
Identify Risks
Understand Risks
Control Activities Standard Setting & Control Activities Standard Setting & Control Activities
Develop a Risk Management Approach
Manage Risks
Relevant use of tools and technology
Information &
Communication
Training, Communication & Reporting Training, Communication & Reporting
Educate and Train Employees
Effective Reporting
Monitoring Activities Monitoring & Auditing, Investigations &
Remediation
Out of scope of Group Risk team – Compliance and IAS
carry out these activities
*
7
Organizational Maturity Roadmap Current
Maturity 2016
2017
+
Organisation & Culture 2.0 3.0 4.0
Ensure effective oversight 3.0 4.0 4.0
Collaboration between Group Risk, Assurance
Functions & Compliance 2.0 4.0 4.0
Risk Mgmt embedded within business activities 2.0 3.0 5.0
Senior Stakeholder Engagement 3.5 4.0 5.0
Promote awareness of Risk Management 2.5 4.0 5.0
Effective Risk Networks 1.0 4.0 4.0
Risk Identification & Assessment 3.0 3.5 4.0
Set and Embed Group Risk Appetite 3.0 4.0 5.0
Identify Risks 3.3 4.0 5.0
Understand Risks 2.7 3.0 5.0
Standard Setting & Control Activities 2.8 3.3 5.0
Develop a Risk Management Approach 3.3 4.0 5.0
Manage Risks 2.5 3.0 5.0
Relevant use of tools and technology 2.5 3.0 5.0
Training, Communication & Reporting 2.0 3.0 5.0
Educate and Train Employees 1.5 2.0 5.0
Effective Reporting 2.5 4.0 5.0
Organisation &Culture
RiskIdentification &
Assessment
StandardSetting &Control
Activities
Training,Communication
& Reporting
Current 2017+ 2016
• The Larger Picture
• How we use this Framework
ISO 31000:2009
Risk Management – Principles and
guidelines
Global IT Risk Mgmt
Standard
IControl Framework Risk Management
Process Diagram
*
8
Communication and Consultation
Establishing the Context
Risk Assessment
Risk Treatment
Monitoring and Review
*
9
Definitions
• Risk: Is something that has not yet happened.
• Issue: Is any uncontrolled activity or event which has already happened.
• Exception: Is a planned approved deviation from IS Policies and Standards.
• Note: We have separate processes for managing Risks, Issues, and Exceptions.
Risks, Issues, and Exceptions are Different but can be Related
• An issue can lead to the identification of a risk.
• An issue may lead to the requirement for a temporary exception.
• An exception usually has risks associated with it.
ISSUE Failure of backup for
GxP System Can
lead to
RISK Other backups might
fail Can
lead to
EXCEPTION Request for
exception until
system can be fixed
Temporary exception may
be raised
Objective: Understand the scope for the IT risks you need to consider
Risk category
Business Change
Business Systems
Compliance with external Regulation
Data Quality
Emerging Technology
Global IT
IT Asset Management
IT Governance and Leadership
IT Resilience
People, Culture & Behaviours
Projects
Security & Privacy
Sourcing
Strategy & Architecture
•Future
risks to
consider
•Grey Swans & Black Swans
• Initiatives that must be delivered
*
10
Supporting process document
Guidance A - Establishing the
context
• XX risk areas specific to Your organization (e.g., IT)
Establish External Context
Establish Internal Context
Review key business
objectives
Your corporate
strategy/goals
Objective: Identify risks and determine if they should be mitigated or accepted
*
11
Understand what it means to Your Organization
Decide appropriate steps: Reduce or Accept
C.
Evaluate Risks
A. Identify Risks
• The Requirement
Risks greater than $3M must be reported for Quarterly Business Review
• The Guidance
• Risks that keep you up at night
• Risks that leadership L1, ITLT, CIO or group VP should know about
B.
Analyze
Risks
B. Analyze Risks
• IT Risk Criteria
• Impact (Financial & Reputational)
• Likelihood of Occurrence
• Calculated Risk Score
• Current Position
• Trends
• Existing Controls C. Evaluate Risks
• Target Risks
• Requirement for Treatment
• Prioritization
Supporting process document
Guidance B - Risk Identification Supporting process document
Guidance C - Risk Analysis
Supporting process document
Guidance E - Risk Evaluation
A.
Identify Risks
*
12
Impact
• An outcome of any circumstance, action, situation or event
• Outcomes can be positive (opportunities) or negative (threats)
• Pragmatically, we focus on managing negative outcomes
Likelihood of Occurrence
• The probability of an event occurring
• Ranges from a 1% chance (very low) to a 99% (very high) chance
• 0% means it will not occur
• 100% means it will occur
• If has already occurred, it is not a risk (but rather an issue), but could have subsequent risks
Risk
• Risk = Impact x Likelihood of Occurrence
• Once a risk has been identified, it moves into Treatment/mitigation
• Options:
This is not risk management
Avoid
Share
Transfer
Reduce
Accept Pragmatically, we operate here
A risk is something that has not yet happened.
*
13
• Risks greater than $x must be reported for Escalation
Supporting process document
Guidance G - Example Good
Practice Risk Register
Table A Global IT criteria
Definitions Likelihood ScoreFinancial
ImpactScore Reputational Impact Score
VH - Very
High
An event you can expect to
happen within a 12 month
period
VH >$200m VH
Significant impact on AZ Group.
Sustained international media and/or
regulatory involvement. Group crisis.
VH 5
H - High
A realistic event for AZ that can
be anticipated to happen, either
in AZ or a closely allied business
H >$100m H
Impacts AZ Group. International media
and/or regulatory involvement.
Possible financial implications and
developing crisis.
H 4
M -
Medium
An event that can be envisaged
but has not occurred in the
business area or AZ
M >$30m M
Regional impact. Media and/or
regulatory involvement. Possible
impact for other regions/parts of the
business.
M 3
L - Low
A rare event that can be
envisaged but hasn't happened
in the company's history
L >$10m L
Largely local impact. Limited external
interest e.g. media, regulatory and
stakeholder management required
L 2
VL - Very
Low
Never happened & relies on
multiple unlikely eventsVL >$3m VL Localised effects. Short lived impact. VL 1
Objective: Treat and mitigate risks according to an approved plan
*
14
Supporting process document
Guidance F - Risk Treatment
Supporting process document
Guidance D - Controls and
Contingencies
Identify Risk Treatment Options
Prepare Risk Treatment Plan
Associate Risk Treatment Plan to Service Improvement Plan (SIP)
Implement Risk Treatment Plan
• Avoid • Share • Transfer • Reduce • Accept
Pragmatically, we operate here
• Specific • Measurable • Achievable • Realistic • Timely
Must Include • Actions/Tasks • Delivery Dates • Responsible Parties
• Provides transparency and awareness • Ensures management approval and
prioritization • Facilitates reporting
• Execute activities and tasks per agreed plan
*
15
Objective: Ensure risk treatments are progressing as planned, and adjusted as needed
Review risks in Risk
Register
Update risks in Risk
Register
Review risks with
Leadership
• Access IT Area Risk Register • Review:
• Risk Description • Treatment Plan • Net Risk Score • Trend • Comments/Updates
• Does it make sense? • Is it current? • Is it in control?
• Update IT Area Risk Register with latest view • Progress against the
Treatment Plan • Barriers to progress
• Adjust as needed
• Risk Score • Trend • Treatment Plan • Risk Description
• Review IT Area Risk Register with Leadership • Tower Leads – must support
the current risk position • ITLT Members – own all
risks in their areas
• Update IT Area Risk Register with Leadership feedback
Problem Areas Elements to Consider
Risk Description • Should include four elements
1. What’s the situation?
2. What’s the risk?
3. What’s the impact to IT Area?
4. What’s the impact to the Business?
• Avoid stating issues
• Expressed as something likely to occur if not managed
• Try to turn risks into opportunities
Treatment Plans • Must be an up-to-date plan of action described in SMART terms
• Specific
• Measureable
• Achievable
• Realistic
• Timely
• Be creative, think of ways to avoid risk
• Ensure stakeholder involvement
Key Controls • Must be current
• Detail existing controls that are in use
Comments and Updates • Should be included if extra info is needed to explain deltas in expected progress
against Treatment Plan
• Describes progress from last update
• Should be aligned to defined Treatment Plans
Net Risk Scores and Trends • Net Risk Scores should be routinely evaluated to reflect “current” risk
• Risk Trend should be adjusted and justified
16
Must Include • Actions/Tasks – What? • Delivery Dates – When? • Responsible Parties – Who?
*
• Success is about taking risks
• Understanding risks to see opportunities, and taking risks responsibly
• Risk Management is not about compliance, it’s about managing day to day activities to achieve objectives
• Risk Management provides evidence of accountability and make risks visible to leadership and stakeholders
• Making risks visible leads to surprise reduction at all levels of management right up to the board (take this challenge on board even if it is culturally a difficult behaviour)
• Focus should be on developing risks that are material to objectives, especially organizational goals and strategy
• Make sure largest risks have contingency plans in place
• Management must engage for risk management to be successful
• Risk Management can only succeed if you discuss risks with your colleagues, peers, stakeholders, and leadership
17
*
*
IT Functional Areas – What You Need to Do
* Support line management-led processes, tools and resourcing for effective risk management.
* Work with the ITLT member and their leadership teams, to enable and facilitate risk discussions, attention and focus.
* Lead annual/quarterly assessment and reporting of risks including; strategic, performance/operational, reputational, financial control, and compliance risks.
* Submit a comprehensive ITLT area risk assessment as part of the Global IT annual business planning and Budget processes.
* Provide ongoing risk training and support.
For Global IT – What We Do
* Define Global IT risk management standards, process, performance and maturity levels.
* Provide risk management oversight, challenge when required and maintain an independent view of Global IT Risks.
* Provide consultancy and advice to Global IT on tools and training, to support 1st line capability and performance.
* Support and provide risk management guidance to the ITLT Risk Leads.
* Work with CIO and other members of the ITLT and their teams, to facilitate robust risk discussions.
* Provide guidance and oversee the IT annual/quarterly assessment of risks for QBR submission, including; strategic, performance/operational, reputational, financial control, and compliance risks.
* Build and continually improve Global IT risk management culture and capability.
* Monitor the effectiveness in the implementation of the Risk Management process within Line 1 Global IT and the quality of its execution.
Strategy and
Performance
HR/Lega/ Corp
Affairs IT Finance & GPPS IT
Operations
IT
Infrastructure &
Operations
Software Shared
Services RDI
MedImmune
R&D IS Commercial IT
a
IT A
rea
ITLT
R
isk L
ead
Global IT Risk Management
GR
L
18
• Global Policy - Safeguarding Company Assets and Resources
• The Company is committed to effective risk management
• Organizational (IT) Policy
• Risks arising from IT activities must be identified and managed. This is a responsibility of all IT managers.
• Global IT Risk Management Standard
• The purpose of this standard is to mandate the minimum requirements for an appropriate and consistent level of risk management activity across Global IT (SET IT & Corporate IT).
• IT Control Framework Risk Management Process Diagram
• Risk management process flow
• Links to policies and standards
• Links to guidance documents
• Links to training module
• Quality and Compliance Manual
• Various risk-related standards
*
(embedded Global
Policy)
(embedded IS Policy)
(embedded Risk Mgmt
Std)
19
*
20