Organizations are complex: from technological advancements to regulatory changes and global expansions, ensuring robust information security is a daunting task for any GRC professional.
In this workshop with renowned GRC pundit Michael Rasmussen, you’ll get the blueprint you need to achieve an effective IT risk management strategy in a dynamic business and risk environment. You’ll learn strategies and techniques to apply to your whole organization and as part of your broader GRC strategy.
Here’s what you can expect to gain:
A comprehensive understanding of IT GRC within the broader context of business performance and strategy.
Knowledge of how to integrate IT GRC management processes seamlessly into your organization’s operations.
The ability to define an information architecture that provides 360° situational awareness of IT GRC in alignment with business objectives.
A deep dive into the technology components necessary to streamline risk and compliance management across your organization.
Who should come along?
IT GRC managers and officers
Business managers who want to up their game in IT GRC
Executives and governance personnel overseeing IT GRC
Audit personnel providing assurance on IT security and GRC
Workshop Abstract:
Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data expose organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives constantly react to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk, as it permeates business operations, processes, transactions, and relationships in the digital world. Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across the business grows.
Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture of risk and its impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organization’s operations requires the Chief Information Security Officer (CISO) to be a foundational and integrated approach to risk management across the organization. Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, data) and externally (e.g., threat, competitive, legal, geographic environments) to stay competitive in today’s economy.
Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise. This workshop provides a blueprint for attendees on effective IT risk management strategies in a dynamic business and risk environment. Attendees will learn IT risk management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.
Objectives of the workshop:
Attendees will take back to their organization’s approaches to address:
IT Risk Management Strategy. Understand IT risk in the context of business performance, strategy, objectives, culture, and values.
IT Risk Management Processes. The IT risk management processes integrated into the organization and its operations flow from the strategy. Good IT risk management is done in the rhythm of the business.
IT Risk Management Information Architecture. Defining an information architecture that enables IT risk management strategy and processes by providing 360° situational awareness of IT risk in the context of business strategy and operations
IT Risk Management Technology Architecture. The necessary technology components are needed to integrate diverse and distributed risk and compliance management roles and IT risk management into the organization’s operations.
Benefits to attendees:
Holistic awareness of risk. There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of the organization and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise risk framework.
Risk-intelligent decision-making. The organization has what it needs to make risk-intelligent business decisions. Risk strategy is integrated with organization strategy; it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
Accountability of risk. Accountability and risk ownership are established features of risk management. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and the organization’s track record should illustrate successful risk tolerance and management.
Multidimensional risk analysis and planning. The organization has a range of risk analytics, correlation and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation or transfer — are working and monitored for progress.
Visibility of risk as it relates to performance and strategy. The enterprise views and categorizes risk in the context of organization objectives, performance and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance and timeliness.
Who should attend?
IT risk managers and officers responsible for leading and managing IT risk and information security
Business managers whose job responsibilities include IT risk responsibilities
Executives and governance personnel who have to oversea and govern IT risk
Audit personnel that provide assurance on IT security and GRC
Typical Agenda:
Part 1: What is IT Risk Management?
UNDERSTANDING IT RISK IN THE CONTEXT OF THE ORGANIZATION
Different views of IT risk and information security throughout the organization
Who owns IT risk?
Understanding IT risk and its role in assurance to business strategy, objectives, performances, and operations
Workshop Project & Discussion
Part 2: IT Risk Management
BLUEPRINT FOR IT RISK MANAGEMENT COLLABORATION AND STRATEGY
Developing an IT risk committee (or herding cats), bringing together the range of GRC roles with a stake in IT risk across the organization
Defining an IT risk management charter
Developing a collaborative and enterprise view of IT risk and how it relates to performance, risk, and compliance
Workshop Project & Discussion
Part 3: IT Risk Management Process Lifecycle
INTEGRATED PROCESSES TO IDENTIFY, ANALYZE, MANAGE, AND PROVIDE ASSURANCE ON IT RISK
Identification – Collaborative process to identify IT risks and controls from both the bottom and the top
Analysis – Defining effective and operational controls to provide assurance while mitigating risk
Management – Strategies to manage IT risk and controls in context of performance, risk, and compliance
Communication – Assign and manage IT risk ownership and accountability
Workshop Project & Discussion
Part 4: IT Risk Management Information & Technology Architecture
PROVIDING AN INTEGRATED VIEW OF IT RISK TO THE ENTERPRISE
Developing an IT risk taxonomy and attributes of risks and controls
Mapping IT risk to objectives, risk, policy, and compliance
Monitoring IT risk in a changing environment
Technology capabilities and considerations to support IT risk management
Workshop Project & Discussion
GRC 20/20 Analyst will be facilitating this workshop . . .
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on enterprise GRC strategy and processes supported by robust information and technology architectures. With 30+ years of experience, Michael helps organizations improve GRC strategy and processes supported by the correct GRC technology architecture. This enables organizations to align GRC with the business and deliver effective, efficient, resilient, and agile capabilities to the organization. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — the first to define and model the GRC market in February 2002 while at Forrester.
About Event Host . . .
SureCloud is a leading provider of cloud based, Integrated GRC (Governance, Risk & Compliance) products and Cybersecurity services, which reinvent the way you manage risk. SureCloud, and our Aurora platform, enable organizations to make better decisions and achieve their desired business outcomes. SureCloud is underpinned by Aurora, a highly configurable no-code platform, which is simple, intuitive, and flexible. Unlike other GRC Platform providers who force organizations to adapt their processes, our solutions are highly configurable. Aurora can be easily customized to fit a wide range of operating models, meaning that our clients get immediate and sustained value from the outset.