Operational Risk in Business - Gavin Dyche

Operational Risk in BusinessGavin Dyche – Manager, Risk

8 March 2017

1. JLT Overview

2. Risk & Risk Management

3. Strategic & Operational Risk

4. Business Continuity

5. Fraud & Cyber

Operational Risk in Business – 8 March 2017 2

SESSION OVERVIEW


KEEP AN EYE OUT

1 WHO ARE JARDINELLOYDTHOMPSON


JLT OVERVIEW

When talking about the start of the JLT Community Series……

“ What is JLT? It sounds a bit like a sandwich to me”.

– Jonathan Brown, Nova FM


JLT OVERVIEW – OUR BUSINESS


JLT OVERVIEW – OUR CLIENTS

2 RISK AND RISK MANAGEMENT


RISK AND RISK MANAGEMENT

“When I grow up, I want to work in Risk Management“

…said nobody ever!


RISK

Risk =

Potential of losing something of value

A probability of threat or damage

A situation involving exposure to danger

The possibility that something unpleasant or unwelcome will happen

• Natural Events

• Human Behaviour

• Legislative Compliance

• Commercial Relationships

• Assets & Operations

• Political Circumstances

• Technology

11

SOURCES OF RISK

Operational Risk in Business – 8 March 2017

RISK AS OPPORTUNITY



WHY MANAGE RISK

Risk management is about deciding which risks to take and how to manage their outcomes.

“There are risks and costs to a program of action.

But they are far less than the long-range risks and costs of comfortable inaction”.

– President John F. Kennedy


RISK MANAGEMENT PROCESS


RISK MANAGEMENT IS PART OF US ALL

You are qualified in risk management if you have ever:

o Negotiated a road crossing safely

o Ridden a bike or driven a car

o Booked a holiday

o Raised children*

* You should be up here doing the talking

GOOD RISK MANAGEMENT

POOR RISK MANAGEMENT

IN A LEAGUE OF THEIR OWN


RISK MANAGEMENT EXAMPLE

Standard Operating Procedures / Process Map


KICK YOUR TYRES


WHEN I KICKED SOME TYRES

Fraud Losses

$0

Bad debt write-offs

$11m


WHEN I KICKED SOME TYRES

Some of the bad-debt in the names of……..

Ms Anita Bath

Mr Rippen Youoff

Mr Hugh Jass

Mr R Swyper

Mrs R Slicker

Lord Van Hugendong

3 STRATEGIC & OPERATIONAL RISKS

24

TYPES OF RISKS

Strategic risks

Operational risks

Project risks

LINK TO EACH OTHER



RISK AND RISK MANAGEMENT

Strategic Risk =

Risk that may prevent delivery of strategic objectives

Risk arising from a poor strategic business decision

Operational/Corporate Risk =

Risks arising through provision of services – inadequate or failed processes, poorly designed procedures, people (human error), systems and external events.


ARTICULATING THE RISKS

Example

“We have a lot of problems getting the right people to do the job…

“We train them up and then can’t keep them for long…”

What is the risk?

Inability to attract and retain staff with high levels of knowledge and expertise

Increased costs through churn of staff (recruitment, training, etc.)


CLASSIFYING THE RISK / RISK APPETITE


RISK PROFILE

Human Resources

Financial Information Technology

Political Legal / Governance

Risk Title

Risk Title

Inability to attract & retain staff

Risk Title

Risk Title

Risk TitleRisk Title

Risk TitleRisk Title

Risk Title

Risk Title

Risk Title Risk Title

.

.

Risk Title

Risk Title

Legend

High

Significant

Low

Moderate

High risk: Immediate action required

Significant risk: Senior management attention required

Medium risk: Management responsibility must be specified

Low risk: Manage by routine procedures

4 BUSINESS CONTINUITY


WHAT IS BUSINESS CONTINUITY?

Business Continuity (BC) is defined as the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident.

(source: ISO 22301:2012)

BCP = Business Continuity Plan

BCM = Business Continuity Management

ITDRP – Information Technology Disaster Recovery Plan

EM – Emergency Management

BIA – Business Impact Analysis

SPF – Single Point of Failure


WHAT DOES IT ALL MEAN?

Emergency Management Plan (EMP) – Focussed on the safeguard and preservation of lives, equipment, assets and infrastructure.

Business Continuity Plan (BCP) – To maintain or restore at least a minimal level of service provision to those functions/services deemed ‘critical’ to the continuity of the organisation. The BCP should include prioritisation.

IT Disaster Recovery Plan (ITDRP) – To restore or maintain technology infrastructure (enabler).

A GOOD BUSINESS CONTINUITY PLAN WILL……

Remove/reduce subjectivity around prioritisation of services/ functions, minimising the period of disruption to services/ functions

Identify your ‘Single Points of Failure’ (SPF)

Provide those responsible (process owners) with a guide/reminder of what they should consider and what actions are required

Provide those ‘picking up the reigns’ with a fighting chance of knowing what to do and who to speak to

Inform other dependencies and priorities (i.e. ITDRP)


A BUSINESS CONTINUITY PLAN WON’T……

× Be a manual or replacement guide for good management practice and decision making

× Be a script for every type of scenario which may occur

× Add complexity, overbearing detail and uncertainty to a situation

× Be something that is regarded as a ‘on the shelf document’ which is relied upon for all the answers periodically.


5 FRAUD AND CYBER

FRAUD IN THE NEWS

we got you!


WHAT ARE THE EXPERTS TELLING US?

‘Extrapolated information recently reported by the Association of Certified Fraud Examiners that organisations

lose five per cent of their annual revenue to fraud


CURRENT SCAMS

Some impersonators are easy to spot…..

Others are not!


PHISHING

http://www.google.com.au/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRxqFQoTCNrXo_b0gccCFcPbpgod1w0AhQ&url=http://www.aitsys.com.au/news/20150428/australian-federal-police-phishing-scam-theyre-at-it-again/&ei=C5q5VZqmGsO3mwXXm4CoCA&bvm=bv.99028883,d.dGY&psig=AFQjCNGCIlHjA6V0dimGV7gwrD2bP_JRUA&ust=1438313344560913

http://www.google.com.au/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRxqFQoTCNrXo_b0gccCFcPbpgod1w0AhQ&url=http://www.aitsys.com.au/news/20150428/australian-federal-police-phishing-scam-theyre-at-it-again/&ei=C5q5VZqmGsO3mwXXm4CoCA&bvm=bv.99028883,d.dGY&psig=AFQjCNGCIlHjA6V0dimGV7gwrD2bP_JRUA&ust=1438313344560913

RANSOMWARE

SKIMMING


$114 Billion

$85 Billion

VALUE OF FRAUD


HAVE YOU BEEN HACKED?


SCAM STATISTICS - VICTORIA

DO WE QUESTION THINGS

Quantum = Some

All = All


Quantum = 8 POWER ACTIONS

All = 6 POWER ACTIONS


WHY DO PEOPLE COMMIT FRAUD?


FRAUD PREVENTION FRAMEWORK


FRAUD RISK ASSESSMENT


FROM LITTLE THINGS BIG THINGS CAN GROW…

A Manager allowing deviation from ‘standard operating procedures’.

An employee accepting a gift from a supplier or contractor

An employee taking home ‘surplus’ stock


HOW CONTROLS FAIL

Check 1

Check 2

Check 3

T

R

A

N

S

A

C

T

I

O

N


IF 99% EFFECTIVE WAS ‘GOOD ENOUGH’ IN LIFE

12 newborn babies given to the wrong parents each day

20,000 drug prescriptions incorrect per year

No electricity worldwide for 14mins per day

930 planes falling out the sky per year

Water unsafe to drink for 3 days per year


CYBER CRIME


WHAT IS YOUR RISK?


Business model of questionable morals/taste

Client base of 39 million across 53 countries

Gross profit of $115m in 2014

Valued in excess of $1bn

200+ employees

17,000 users per second

Money generated through functionality charges and fees (i.e. removal of profile = $19)

ASHLEY MADISON


Hacked in July 2015 and member details published online including;

Names

Addresses

Credit card information

Search history

Profile pictures

ASHLEY MADISON


$576m class action by members and significant regulatory (e.g. breach of privacy) action to follow.

Hack has highlighted numerous questionable operationally deceptive procedures.

Members subsequently extorted through emails requesting $300USD.

ASHLEY MADISON


Dropped USBs and Optical Drives in staff carpark

Phishing emails & Malware on USB

Follow-up through fake IT support calls

GOVERNMENT HACKING


60% plugged in USB Drive

90% where branded with an

official logo

22% clicked on URL in phishing

email

40% provided passwords over

the phone

OUTCOME


Change of Bank Details Scam

RECENT FRAUD CASE STUDY


Key Facts

o Scammer may initially contact organisation by phone impersonating known supplier requesting change of bank details.

o Scammer follows up in writing (email) and attaching instruction allegedly signed by a signatory.

o Bank account details amended and subsequent invoices paid to new (fraudulent) details.



It’s all in the fine detail

Scammer email example – [email protected]

Genuine email example – [email protected]

Signatory info may be incorrect on closer inspection

BSB is not domiciled to HQ



Business Continuity – What are your priorities?

Leverage risk management/integrate into ops.

Technology – What is critical, where is it stored?

IN SUMMARY, FOR CONSIDERATION


KICK THE TYRES

PEE ‘N’ LEARN

Effective Risk Management, Business Continuity, Fraud & Cyber prevention is all about foresight. There are no prizes for hindsight……..

GOLDEN EGGS


QUESTIONS?

Gavin [email protected]


http://www.google.com.au/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://suddenlyseptember.com/questions/&ei=jHVtVZOZHIONmwXcuoOYAw&bvm=bv.94455598,d.dGY&psig=AFQjCNFiHtfppO7ejcRV-gYhjsAPVIy74w&ust=1433323266920635

http://www.google.com.au/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://suddenlyseptember.com/questions/&ei=jHVtVZOZHIONmwXcuoOYAw&bvm=bv.94455598,d.dGY&psig=AFQjCNFiHtfppO7ejcRV-gYhjsAPVIy74w&ust=1433323266920635

mailto:[email protected]

Operational Risk in Business - Gavin Dyche

Documents

Transcript of Operational Risk in Business - Gavin Dyche