Post on 08-May-2023
1. JLT Overview
2. Risk & Risk Management
3. Strategic & Operational Risk
4. Business Continuity
5. Fraud & Cyber
Operational Risk in Business – 8 March 2017 2
SESSION OVERVIEW
Operational Risk in Business – 8 March 2017 5
JLT OVERVIEW
When talking about the start of the JLT Community Series……
“ What is JLT? It sounds a bit like a sandwich to me”.
– Jonathan Brown, Nova FM
Operational Risk in Business – 8 March 2017 9
RISK AND RISK MANAGEMENT
“When I grow up, I want to work in Risk Management“
…said nobody ever!
Operational Risk in Business – 8 March 2017 10
RISK
Risk =
Potential of losing something of value
A probability of threat or damage
A situation involving exposure to danger
The possibility that something unpleasant or unwelcome will happen
• Natural Events
• Human Behaviour
• Legislative Compliance
• Commercial Relationships
• Assets & Operations
• Political Circumstances
• Technology
11
SOURCES OF RISK
Operational Risk in Business – 8 March 2017
Operational Risk in Business – 8 March 2017 13
WHY MANAGE RISK
Risk management is about deciding which risks to take and how to manage their outcomes.
“There are risks and costs to a program of action.
But they are far less than the long-range risks and costs of comfortable inaction”.
– President John F. Kennedy
Operational Risk in Business – 8 March 2017 15
RISK MANAGEMENT IS PART OF US ALL
You are qualified in risk management if you have ever:
o Negotiated a road crossing safely
o Ridden a bike or driven a car
o Booked a holiday
o Raised children*
* You should be up here doing the talking
Operational Risk in Business – 8 March 2017 19
RISK MANAGEMENT EXAMPLE
Standard Operating Procedures / Process Map
Operational Risk in Business – 8 March 2017 21
WHEN I KICKED SOME TYRES
Fraud Losses
$0
Bad debt write-offs
$11m
Operational Risk in Business – 8 March 2017 22
WHEN I KICKED SOME TYRES
Some of the bad-debt in the names of……..
Ms Anita Bath
Mr Rippen Youoff
Mr Hugh Jass
Mr R Swyper
Mrs R Slicker
Lord Van Hugendong
24
TYPES OF RISKS
Strategic risks
Operational risks
Project risks
LINK TO EACH OTHER
Operational Risk in Business – 8 March 2017
Operational Risk in Business – 8 March 2017 25
RISK AND RISK MANAGEMENT
Strategic Risk =
Risk that may prevent delivery of strategic objectives
Risk arising from a poor strategic business decision
Operational/Corporate Risk =
Risks arising through provision of services – inadequate or failed processes, poorly designed procedures, people (human error), systems and external events.
Operational Risk in Business – 8 March 2017 26
ARTICULATING THE RISKS
Example
“We have a lot of problems getting the right people to do the job…
“We train them up and then can’t keep them for long…”
What is the risk?
Inability to attract and retain staff with high levels of knowledge and expertise
Increased costs through churn of staff (recruitment, training, etc.)
Operational Risk in Business – 8 March 2017 28
RISK PROFILE
Human Resources
Financial Information Technology
Political Legal / Governance
Risk Title
Risk Title
Inability to attract & retain staff
Risk Title
Risk Title
Risk TitleRisk Title
Risk TitleRisk Title
Risk Title
Risk Title
Risk Title Risk Title
.
.
Risk Title
Risk Title
Legend
High
Significant
Low
Moderate
High risk: Immediate action required
Significant risk: Senior management attention required
Medium risk: Management responsibility must be specified
Low risk: Manage by routine procedures
Operational Risk in Business – 8 March 2017 30
WHAT IS BUSINESS CONTINUITY?
Business Continuity (BC) is defined as the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
(source: ISO 22301:2012)
BCP = Business Continuity Plan
BCM = Business Continuity Management
ITDRP – Information Technology Disaster Recovery Plan
EM – Emergency Management
BIA – Business Impact Analysis
SPF – Single Point of Failure
Operational Risk in Business – 8 March 2017 31
WHAT DOES IT ALL MEAN?
Emergency Management Plan (EMP) – Focussed on the safeguard and preservation of lives, equipment, assets and infrastructure.
Business Continuity Plan (BCP) – To maintain or restore at least a minimal level of service provision to those functions/services deemed ‘critical’ to the continuity of the organisation. The BCP should include prioritisation.
IT Disaster Recovery Plan (ITDRP) – To restore or maintain technology infrastructure (enabler).
A GOOD BUSINESS CONTINUITY PLAN WILL……
Remove/reduce subjectivity around prioritisation of services/ functions, minimising the period of disruption to services/ functions
Identify your ‘Single Points of Failure’ (SPF)
Provide those responsible (process owners) with a guide/reminder of what they should consider and what actions are required
Provide those ‘picking up the reigns’ with a fighting chance of knowing what to do and who to speak to
Inform other dependencies and priorities (i.e. ITDRP)
Operational Risk in Business – 8 March 2017
A BUSINESS CONTINUITY PLAN WON’T……
× Be a manual or replacement guide for good management practice and decision making
× Be a script for every type of scenario which may occur
× Add complexity, overbearing detail and uncertainty to a situation
× Be something that is regarded as a ‘on the shelf document’ which is relied upon for all the answers periodically.
Operational Risk in Business – 8 March 2017
WHAT ARE THE EXPERTS TELLING US?
‘Extrapolated information recently reported by the Association of Certified Fraud Examiners that organisations
lose five per cent of their annual revenue to fraud
Operational Risk in Business – 8 March 2017
CURRENT SCAMS
Some impersonators are easy to spot…..
Others are not!
Operational Risk in Business – 8 March 2017
PHISHING
FROM LITTLE THINGS BIG THINGS CAN GROW…
A Manager allowing deviation from ‘standard operating procedures’.
An employee accepting a gift from a supplier or contractor
An employee taking home ‘surplus’ stock
Operational Risk in Business – 8 March 2017
HOW CONTROLS FAIL
Check 1
Check 2
Check 3
T
R
A
N
S
A
C
T
I
O
N
Operational Risk in Business – 8 March 2017
IF 99% EFFECTIVE WAS ‘GOOD ENOUGH’ IN LIFE
12 newborn babies given to the wrong parents each day
20,000 drug prescriptions incorrect per year
No electricity worldwide for 14mins per day
930 planes falling out the sky per year
Water unsafe to drink for 3 days per year
Operational Risk in Business – 8 March 2017
Business model of questionable morals/taste
Client base of 39 million across 53 countries
Gross profit of $115m in 2014
Valued in excess of $1bn
200+ employees
17,000 users per second
Money generated through functionality charges and fees (i.e. removal of profile = $19)
ASHLEY MADISON
Operational Risk in Business – 8 March 2017
Hacked in July 2015 and member details published online including;
Names
Addresses
Credit card information
Search history
Profile pictures
ASHLEY MADISON
Operational Risk in Business – 8 March 2017
$576m class action by members and significant regulatory (e.g. breach of privacy) action to follow.
Hack has highlighted numerous questionable operationally deceptive procedures.
Members subsequently extorted through emails requesting $300USD.
ASHLEY MADISON
Operational Risk in Business – 8 March 2017
Dropped USBs and Optical Drives in staff carpark
Phishing emails & Malware on USB
Follow-up through fake IT support calls
GOVERNMENT HACKING
Operational Risk in Business – 8 March 2017
60% plugged in USB Drive
90% where branded with an
official logo
22% clicked on URL in phishing
40% provided passwords over
the phone
OUTCOME
Operational Risk in Business – 8 March 2017
Key Facts
o Scammer may initially contact organisation by phone impersonating known supplier requesting change of bank details.
o Scammer follows up in writing (email) and attaching instruction allegedly signed by a signatory.
o Bank account details amended and subsequent invoices paid to new (fraudulent) details.
RECENT FRAUD CASE STUDY
Operational Risk in Business – 8 March 2017
It’s all in the fine detail
Scammer email example – Gavin.Dyche@jlt.com
Genuine email example – Gavin.Dyche@jlta.com.au
Signatory info may be incorrect on closer inspection
BSB is not domiciled to HQ
RECENT FRAUD CASE STUDY
Operational Risk in Business – 8 March 2017
Business Continuity – What are your priorities?
Leverage risk management/integrate into ops.
Technology – What is critical, where is it stored?
IN SUMMARY, FOR CONSIDERATION
Operational Risk in Business – 8 March 2017
KICK THE TYRES
PEE ‘N’ LEARN
Effective Risk Management, Business Continuity, Fraud & Cyber prevention is all about foresight. There are no prizes for hindsight……..
GOLDEN EGGS
Operational Risk in Business – 8 March 2017
QUESTIONS?
Gavin DycheGavin.Dyche@jlta.com.au
Operational Risk in Business – 8 March 2017