Beyond Compliance

Simone Wray

Head of Risk Management

IIRSM Conference 24 May 20181

Data Classification: Internal 2

The Challenge of Compliance in Practice

Data Classification: Internal 3

Stakeholder perception of risk and compliance?

6

And things still go wrong

What the drivers for going above and beyond?

Attitude to risk

9

Enterprise Risk Management

Needs to be understood in the context of what an organisation is trying to achieve rather than what

it wants to avoid.

Business Risk Matrix

Estimation of Impact

1

Manageable

2

Moderate

3

Serious

4

Critical

Finance<£500k £500k-£2.5m £2.5m-£7.5m >£7.5m

Company

Priorities

Minor change in

scope/outcome with

minimum impact.

Change in

scope/outcome with

minimum impact but

requires approval.

Change in

scope/outcome that

impacts priorities and

requires approval.

Change in

scope/outcome that

means a priority cannot

be delivered.

Project

Objectives

No change to business

case benefits.

Change to business

benefits of <£100k that

requires approval by the

Project Steering Board.

Change to business

benefits of >£100k that

requires approval by the

Avios Investment

Committee.

Change to business case

benefits and project is no

longer viable with

decision to stop by the

Avios Investment

Committee.

Compliance

Breach that can be

resolved internally.

Existing

policy/procedures found

to be adequate.

Breach that can be

resolved internally.

Existing

policy/procedures found

to be inadequate.

Breach that requires

notification to relevant

regulatory authority and

sanctions possible.

Breach that requires

notification to relevant

regulatory authority and

sanctions probable.

Knowledge of breach

likely to be public.

Stakeholder

Trust

Trust dented –

recoverable with time &

PR support.

Trust diminished -

recoverable with senior

management

intervention

Trust damaged -

recoverable with LT

overview

Trust lost –

LT priority action and/or

Board overview required

Risk Scoring

Imp

ac

t

4

Critical4 8 12 16

3

Serious3 6 9 12

2

Moderate2 4 6 8

1

Manageable1 2 3 4

1

Remote

2

Possible

3

Probable

4

Likely

Probability

Estimation of Probability

1

Remote

2

Possible

3

Probable

4

Likely

<25%Only expected to occur in

exceptional circumstances

25%-50%Not expected to occur but could

occasionally

50%-75%More likely to occur than not

>75%Expected to occur in most

circumstances

Risk Monitoring, Escalation and Reporting

High Risk

Active Management and Review• This should trigger a review of the existing

and planned controls

• The risk should be escalated and reported as

a key risk to the respective stakeholder group

Medium Risk

Control Critical• Review existing controls and aim to reduce

cause and/or effect in relation to the cost and

benefit.

• Review regularly

Low Risk Manageable• No further action required at this point.

• Review routinely

13

Significant Risks

Strategic

Project

Operational

Source: IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL

Combined Assurance Map

Source: KPMG

Everyone has a role to play

Homeworking – Case Study

DSE Compliance

18

Homeworking Model

19

Homeworking Model

Managing the homeworker

Definitions

Factors in deciding

whether an employee could work away from

the office

Considerations before an

employee starts working away from the office

Considerations for the

employee

Compliance is an opportunity not a problem

Data Classification: Internal20

Making any decision is about taking

risk and risk management is not about

no risk as much as

NO SURPRISES