Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Management 2.0
A New Approach
The conclusions of a technology risk study, The companies assessed in Protivitis Technology Risk
study all have ambitions to mature their technology
which explored whether technology risk risk activities, but it is uncertain whether they will be
functions have the right strategy, skills and able to achieve their goals, given delivery and budget
pressures. In many cases, to effect necessary changes,
operating models in place to enable the
significant modifications are needed, not only to risk
organization to understand, assess and management processes and tools, but also to the way in
which governance, risk management and compliance
manage existing and emerging risk, have
teams are organized.
reinforced Protivitis long-held view that
This process does not necessarily require additional
technology risk is failing to keep up with the people or cost. Firms can drive operational effectiveness
and efficiencies through consolidation or better integra-
rapid pace of technological change.1 This
tion of technology governance, risk management and
is particularly true for organizations that compliance activities, but this will only be achieved by
using technology more effectively. The operating model
are struggling with the notion that they are
needs to come first, however. Once the framework has
becoming a technology company. been established, a creative risk function can bring it to
life and increase levels of automation using technology.
Technology risk is failing to keep up with the rapid Ultimately, technology risk activities need to undergo a
pace of technological change. digital transformation to be fit for purpose. It is time to
reimagine the way firms manage technology risk and
empower the risk function to become innovators and
remain relevant to the business.
The results of the technology risk study are set out in the Protiviti white paper, Technology Risk: The Need for Change: www.protiviti.com.
1
The Protiviti Technology Risk Model 2.0 framework and risk, vendor management, information security and
methodology is designed to enable better integration cybersecurity teams, to name a few. Implementing a
of the various groups performing technology risk more integrated approach creates a more effective and
activities. This can include activities performed by efficient IT and technology risk function that focuses
individuals in the technology risk function, the IT on the customer and user experience rather than on the
department, the operational risk team, information downside risks impacting the organization.
High
C I A S R OI WM OI OI 1
Business
Impact
Med
# Risk Scenarios Identified (Primary Threat Actors*)
Likelihood of occurrence
1
(includes consideration of
identified controls)
TopBottom
Down Business
Up RiskRisk
Assessment
Assessment
INCIDENT ANALYSIS
CONTINUOUS MONITORING
Compliance
2 Protiviti
The Protiviti Technology Risk Model 2.0 framework First, organizations need to decide what they want
helps firms to visualize an ideal end state and provide to integrate and how. The Protiviti Technology Risk
a tried-and-tested methodology to realize that vision. Model 2.0 seeks to deduce how different functions work
The effective implementation of this framework together and how their varied standards, taxonomies
drives a wholesale transformation in the organization. and agendas can be brought together to align with the
Success relies on firms having sponsorship at the goals of the business. Once firms have determined
appropriate level and an effective change management common processes, common languages and common
process in place. approaches, only then can they be combined in a common
system. Starting with a common system and trying to
This approach is not to be confused with the well-
superimpose a different approach is rarely successful.
versed arguments for firms to implement a common
By approaching this from the other direction, once the
governance, risk and compliance (GRC) platform.
risk management functions are aligned, the technology
Although a common GRC platform is useful, since
should fall into place more naturally.
it can streamline and bring risk reports and data
together, the focus in this approach is on how
firms can fundamentally re-engineer and redesign Integrating Top Down and Bottom
the way the various functions that manage and/or Up Approaches
report on technology risk work together to integrate
Existing approaches adopted by almost all organizations
methodologies, as well as languages and culture.
for technology risk are conducted from the bottom up and
Many firms have struggled to fully implement complex are focused on the risk assessments of the technology
GRC projects in the past, which is often caused by components. Top-down risk analysis is typically only
the tendency for such projects to be technology-led. performed to inform the scope of the assessments. The
People and functions need to align first in terms of analysis then quickly moves to a bottom-up assessment
their methodologies, processes and cultures before of the technology components the systems and
an integrated approach can be underpinned by a core processes supporting applications identified as high
technology platform and supporting tools. risk to highlight potential issues. These activities are not
Use understanding
of control
1 2 environment to 3 4
Determine the Validate scenarios support risk Identify key risk Consolidate
critical customer and threat actors scenario analysis entities relevant to information about
(internal or external) with stakeholders specic risk scenario current state of
risk scenarios control environment
7 6 8 5
Review risk Determine impact Use understanding Capture and track Augment controls
appetite and and consider of key risk closure of agreed data with service
conclude on threat and scenarios to risk remediation management data
actions required controls to assess prioritize activities
likelihood observations &
recommendations
4 Protiviti
Integrating Top Down and Bottom Up
4
Impact 5
# Risk Scenarios Identified (Primary Threat Actors*) 6
C I A 15
7
8
1 Failure to complete a significant number of customer payments in 9
accordance with agreed processing deadlines (OI, SA, UA, WM) 11 10
12
2 Payments are not accurately booked (OI, SA) 13
14
16
High
17
PRIMARY THREATS SOURCE:
Internal Threats: OI: Opportunistic Insider; WM: Well-Meaning Insider;
Likelihood of occurrence
External Threats: UA: Unsophisticated Attacker; SA: Sophisticated Attacker
(includes consideration of identified controls)
6 Protiviti
Protiviti Threat Assessment Model
Well-meaning 1. Do not intend any harm 1. Are not aware that their Awareness training
insider (WM) 2. Are just trying to do actions can cause harm Data loss prevention
their job 2. Are forced to do things in an Document management
insecure manner because
they are not aware of any Data centric security
secure alternatives solutions
Opportunistic 1. Are legitimate users but have 1. Use their access in an Identity and access
insider (OI) high levels of access and/or unauthorised manner management
have been given more access 2. Can ethically justify their Logical access management
than they require misuse Privileged access
2. Would abuse access but not management
usually go as far as bypassing
controls to gain access User behavioral analytics
Unsophisticated 1. May or may not have 1. Use attack methods that Vulnerability
attacker (UA) legitimate access to dont ultimately succeed but Patching
information are otherwise harmful to our
computing systems Anti-virus/malware
2. Choose targets protection
opportunistically, often 2. Use attack methods that
based on easy-to-find have been released publicly IDS/IPS
weaknesses before vendors have had a SIEM/SOC
3. Have a relatively low chance to provide fixes
Privileged access
motivation to succeed with 3. Are not detected early on, management
attacks despite setting off alarms
End-user training (managing
4. Utilise simple, well-known social engineering threat)
attack methods
Disaster recovery/crisis
5. Are very noisy in their management
attacks
Sophisticated 1. Have a specific interest in 1. Apply their resources to any Continuous people screening
attacker (SA) damaging their targets or specific target Threat intelligence
see them as economically 2. Have a competing economic
profitable Advanced user behavioral
interest analytics
2. Are highly motivated to 3. Are state-supported
succeed with their attacks Advanced privileged access
controls (with enhanced
3. Have access to the technical segregation of duties rules)
and financial resources they
need to be successful Enhanced disaster recovery/
crisis management
4. Are very stealthy in their
attacks High security environments
WM OI UA SA WM OI UA SA
Risk Description
Line of Business
Risk Description
Risk Description
Risk Description
Risk Description
Risk Description
Risk Description
Line of Business
Risk Description
Risk Description
Risk Description
Risk Description
Risk Description
1 2 3 ................. 98 99 1 2 3 4 5 1 2 3 4 5
Once high impact areas have been identified, firms The types of controls and the organizations view of the
should conduct a threat assessment, which can be risk effectiveness of those controls may vary significantly
ranked, to determine where the greatest threats are depending on the source and sophistication of the
likely to emerge. attacker. Identifying the threat actors associated with
each risk allows the risk function to conduct a more
The Protiviti Technology Risk Model 2.0 divides
accurate assessment of the likelihood of a successful
threats, at least those resulting from targeted attacks,
attack a key component of the risk assessment
into internal and external categories. External threats
process. This exercise combines an analysis of the
primarily from hackers are classed as unsophisticated
perceived threat levels with an assessment of the
attackers (UA), while, at the far end of the scale are
effectiveness of the controls.
organized crime networks or terrorist groups, as well
as state actors, or foreign governments, are categorized Firms need to ask some fundamental questions when
as sophisticated attackers (SA). Internal threats are considering threat levels: Given a particular business
divided into opportunistic insiders (OI) and well- risk, where does the firm believe the threat is coming
meaning insiders (WM). from? What are the motivations for the attack? What
8 Protiviti
tools do the attackers have at their disposal? The When performing a threat analysis, the risk
required controls vary significantly depending on function needs to be aware of the effectiveness of
the perceived source of the threat. The motivation the control environment. The assessment should
and risk appetite of the perceived attacker also consider technology controls as well as business
has a significant impact on the threat assessment. process controls. For example, if an attacker attempts
Firms should be much more concerned about control to exploit weaknesses in change management and/
weaknesses when they are aligned with the perceived or privileged access controls to create and process
source of a credible threat. fictitious payments, the threat is significantly reduced
Risk Appetite
Very High
2
1 Observed
3
Risk Appetite Current
4
1
5
State
Impact of occurrence
2
15
6
3
7
8
9
11 10 4
12
5
Impact of occurrence
13
14
16 6
High
17
Likelihood of occurrence 7
(includes consideration of identified controls) 8
9
11 10
12
Risk management strategies 13
need to be identified for all risks
assessed as above risk appetite. Target 14
State
High
Likelihood of occurrence
(includes consideration of identified controls)
10 Protiviti
Integrating Vendor Risk Management integration with third-party solutions is driving greater
dependence on vendors, increasing the importance of
Threats posed by vendors and third party contractors
effective vendor management.
have been attracting regulatory attention, with
financial services firms being required to perform Even though firms reliance on technology is increasing,
vendor risk assessments. Information technology is in reality they control far less of this than they ever
no exception. IT is much more complex than it once have before. The combination of increased dependence
was. While most businesses still manage and operate and less direct control raises some concerns, and
some in-house developed systems from their own regulators are becoming more focused on this topic.
data centers, the increasing adoption of cloud and
Customers Suppliers
Hosting providers
Suppliers suppliers
Consumers
xAAS
INFORMATION
TECHNOLOGY
Outsourcing providers
Businesses
Telecoms
Most organizations have adopted approaches to firms data (vendor risk management), and the
managing risks arising from contractual obligations, risks arising from the technology firms use in-house
but their approaches are rarely coordinated or (operational risk management). These varied approaches,
consistent. This includes failing to meet obligations if all are performed, are typically owned by different
to customers imposed on the company by regulators teams, using different systems, with relatively little
(contractual compliance), the risks presented by information shared between them.
suppliers operating processes, managing and holding
1
Third-party entity
identied through
operational risk process
4 2
5 4 3
12 Protiviti
Adopting this integrated approach to vendor risk 5. A process is established to track and manage the
presents numerous benefits, as compared with a more closure of remediation plans agreed with vendors
traditional approach: when risks are identified.
1. Existing third parties that require inclusion 6. The approach is fully integrated with operational risk
in the vendor risk program are derived from reporting (if the same process and/or systems are
the top-down assessment of potential risks to used). This ensures that third-party risks are fully
the business, rather than from an analysis of considered in operational risk reporting, when threat
procurement spend (which can result in smaller, assessments are performed.
high-risk suppliers being missed).
2. The vendor risk teams effort is focused on deter- Effectiveness of Management Reporting
mining the main, specific risks the supplier/service
One significant observation from the Protiviti
provider presents to the business, rather than drawing
Technology Study was how few organizations have been
on standard schedules (e.g., information security
able to develop insightful reports. Reporting in general
requirements) to prescribe the required controls.
was found to lack impact. This stems from the fact that
3. Vendors are granted access to a system that provides approaches adopted are typically from the bottom up.
details of the controls they have put in place within Businesses have lots of information about technology
their organization to manage the risks on the compa- risks, but provide limited insight on business impact
nys behalf. This approach allows vendors to manage and whether the risk profile of the organization is
their own businesses, but also provides transparency increasing or decreasing and why.
to the buyer of the service on how risks are managed.
Once the integrated approach has been implemented,
It also reinforces the vendors responsibilities.
firms can utilize tools such as The Protiviti Risk
4. The system engages with suppliers on a regular basis Index to provide executives with a complete view of
to reaffirm those controls are operating effectively. risk, showing how risk is changing over time.2 Firms
This reminds suppliers of their commitments and can aggregate their top-down business risks using
responsibilities, while providing increased assurances a dashboard, which can give a macro-level view of
the controls are operating continuously. whether the companys risk exposure is rising or falling.
See The Protiviti Risk Index: A Single-Number Snapshot of Organizational Risk: www.protiviti.com/US-en/insights/protiviti-risk-index.
2
In Conclusion
This paper provides a high-level overview of some The challenge for many firms will be deciding where
of the key components of Protivitis Technology to start and receiving buy-in from discrete operating
Risk Model 2.0. This is a common methodology units to work together to drive the required change.
and approach that can be used to fully integrate all Chief risk officers will have a critical role to play in
functions tasked with assessing and helping the this process.
organization to manage operational risks arising
Agreeing upon a common approach to the top-down
from the use of technology.
risk assessment a process that is ineffective in most
As highlighted in the whitepaper Technology Risk: technology risk management activities can be a
The Need for Change, there is a strong case for good place to start.
transformation. Almost all participants in our
study acknowledged that their current approach
to technology risk management is not adequate.
14 Protiviti
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders
confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data,
analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000 and 35 percent of Fortune Global 500 companies. We also work with smaller, growing companies,
including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948,
Robert Half is a member of the S&P 500 index.
Based on our research and industry participation, it is apparent that there is enormous pressure for financial services technology and IT leaders to become
more nimble and adaptive, yet there is also pressure to maintain controls and manage costs. Our blend of consulting expertise and deep industry experience
uniquely positions us to design and deliver pragmatic, risk-sensitive solutions in response to these challenges.
Protiviti has been helping clients to design and implement effective approaches to risk management. We have a strong reputation in risk management,
security and privacy, IT governance, and analytics and a loyal base of clients based on the breadth of our skills. We also seek to overlay a deep understanding
of industry-specific concerns in our solution development. Our dedication to develop pragmatic solutions to address the real, underlying client needs helps us
produce value for our clients. This combination has made us a trusted partner to our clients.
We seek to help organizations assess the effectiveness of current technology risk models and assist with the design and implementation of a more
effective approach.
CONTACTS
Carl Hatfield
Managing Director
+1.617.330.4813
carl.hatfield@protiviti.com
*MEMBER FIRM