Establishing the Core of an Effective
Technology Risk Management Program
Director, Security Development and Engineering

Effective risk
management
helps a company
pursue
opportunity
within the firm’s
risk appetite in a
controlled way
Risk and value are two sides of the same coin
Risk appetite is the level of risk that an organization is willing to accept while
pursuing its objectives, and before any action is determined to be necessary in
order to reduce the risk.
Risk is an opportunity

Begin with the end in mind
➢Effective and efficient risk management
➢Continuous demonstration of compliance
status
➢Minimal out of the business-as-usual
effort by operational and risk
management teams
“We may be very busy, we
may be very efficient, but
we will also be truly
effective only when we
begin with the end in mind.”
Steven Covey

What laws and regulations apply to your company or your
upstream partners and customers?

The fog can be lifted –
excellent resources are already available!
Research and Whitepapers
▪ The core / intent of technology and security controls are similar among
regulations
▪ Leverage existing frameworks and control mapping crosswalks to
deduplicate, and gets single set of required applicable controls

Control
Testing
(Pass/Fail)
Issue
(Open/
Close)
Action
Plan
(Complete/
Incomplete
Control
Effective or
Ineffective
Process Level
Risk
Mitigated or
Not Mitigated
Risk Category
Rating
Regulatory and
Compliance
Requirements
Board
Regulators / Audit / Customers
Regulations
Internal
Compliance
Contracts
Policies and
Standards
Requirements
GRC Overview
Process Risk Control
Process Owner
Risk Acceptance

Prerequisites to Success:
Standardization - Save the user creativity for art class
• Correct mapping for laws > requirements > processes > risks > controls
• Lock down process, risk, control libraries and instantiate with limited flexibility
• Mandatory fields with standardized response options
Build infrastructure and guardrails from the start – An ounce of prevention
• Approval workflows for changes to key fields (dates, ratings, etc.)
• Preventative controls for data quality and integrity
• Access control
Clarify roles, responsibilities, and educate - No time for guesswork
• Control owner identification and education
• Automated system notifications for key actions and dates
• Leadership reporting with consequences
✓ Standardization
✓ Governance
✓ Accountability

ISO 31000
Now that you have a strong core:
use it to support the overall risk management process

Action Item for Today:
Identify the (top) 3 regulatory oversight
agencies, or regulations / standards that
impact your company.