“what does synergy have to do with it!”...“what does synergy have to do with it!” john...
TRANSCRIPT
“What does Synergy have to do
with it!”
John Delaney, BComm, CIA, CRMA, CRM, C. Dir.
Senior Planning Advisor
Royal Canadian Navy
Linking IA to Boards, Strategy
Risk Mgmt. and Cyber Security
April 25, 2019
Agenda
• Background
• The importance of strategy
• Personal journey with IRM
• Actions to increase insight and create synergy
• Practical ways to engage
• Your views and questions
Background
• Materiel Management ~ 9 yrs.
• Internal Audit ~ 16 yrs.
• Strategy ~ 3.5 yrs.
• IRM ~ 10.5 yrs.
• Business Management ~ 1 yr.
• Chartered Director – McMaster University
• Volunteer and Mgmt. Boards
Quote
“Results are gained by exploiting opportunities, not by solving
problems.” Peter Drucker
Most Important Tasks of any Board
Strategy Definition
Product/Market Matrix
Principle Causes of Performance Failure
Questions to Ponder
• Shouldn’t being constructively engaged in the organization’s
strategy also be a priority of Internal Audit, Risk Management,
Cyber Security and others?
• Are we currently involved in contributing to our organization’s
strategy?
• Are we currently working with professional partners towards
achieving the organization's strategy?
Proposition
Because of the importance of strategy to the long-term success of
the organization - being constructively engaged must be a priority
of Internal Audit, Risk Management and Cyber Security.
2019 2029
Personal Journey with IRM
Principles - Road Map & Lessons Learned
In 2011, embarked on a complex journey and needed a map.
Framework - ISO 31000 Risk Management Principles and
Guidelines.
Practical implementation principles – based on a study of prior
program failures.
- Proceed incrementally
- Gain senior executive support
- Gain staff and middle management support
- Integrate the new practice into the existing planning and
management regime
Commit and MandateNAVORD
IRM Policy StatementIRM Guidelines
RM Plan and RM ProcessAssurance Plan
Communicate & TrainStakeholder analysis
Training needs analysisCommunication strategy
Training strategyRoles and Reporting
Structure & AccountabilityBoard RM CommitteeExecutive RM GroupRM Working Group
Manager Risk ManagementRM Champions
Risk and Control Owners
Review & ImproveControl assuranceRM Plan Progress
RM Maturity EvaluationRM KPIs
BenchmarkingGovernance reporting Framework
Implementation
Management Information System / Risk Registers / Treatment Plans
/ Assurance Plan / Reporting templates
Framework Implementation
Establish context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Co
mm
un
icate
an
d co
nsu
lt
Mo
nito
r an
d re
vie
w
Risk assessment Steps
Process for Managing Risk
Fram
ew
ork
Imp
lem
en
tatio
nCo
nti
nu
ou
s Im
pro
vem
en
t C
ycl
e
Q31001-11 – Implementation Guide
four elements
which provide the
foundation for
designing,
implementing,
monitoring and
continual
improvement of RM.
Includes:
a well defined
process for
managing risk,
and
Guide Posts
“What you do has far greater impact than
what you say.”
Stephen Covey
“Getting action is preceded by building a
positive relationship and then exploring
possibilities.” Bob Chartier
Engagement – Building Relationships
• Arranged Leadership Roundtable Discussions in each Region
– Pacific Region
– National Capital Region
– Atlantic Region
• Sponsored Annual Professional IRM Training & Facilitated Discussions
– Regional Review Team
– Regional Business Planners
– Regional Naval Engineering Teams
• Purchased, Shared and Discussed Risk Management Publications
– Risk Management for Dummies
– ISO31000
• Engaged Risk Champions
– System Development
– Initial Practice & Trial Teams
– Customization
Techniques – Exploring Possibilities
• Show them and they will see
– Provided Direction, Guidelines and Templates
• Tell them and they will hear
– Targeted Risk Management Training
– Shared the Impact of their Efforts
– Exposed our Challenges
• Involve them and they will understand
– Facilitated Workshops & Risk Discussions
– Provided Sample Roadmaps / Tools / Presentations
– Supported Risk Profile Development
– Encouraged Feedback
– Maintained Flexibility
Value of Risk Management
• Focuses Effort:
– on the specific interests of the governance board/s related to the organization’s threats
& opportunities;
– on the goals and strategic objectives of the organization;
– on the system of compliance and oversight.
Developing Trust
The Team and Factors to Consider
Board of Directors
Integrated
Risk Mgmt.Strategy
Internal
Audit
CFO
CEO
Cyber Security
Governance
Needs
Strengths
Positioned to do / not do
Value
IRM and their Needs
Board of Directors
Integrated
Risk Mgmt.
Internal
Audit
Needs:
1. Understand the IRM Standard
2. Appreciate of the context
3. Understand the maturity model and indicators
4. Customize your Audit Criteria, discuss it and share it with the Auditee early on
5. Point out strengths and deficiencies
6. Consider developing an ongoing professional relationship with IRM
IRM and their Strengths
Board of Directors
Integrated
Risk Mgmt.
Internal
Audit
Strengths:
1. Knowledge of the organization’s strategy, the leaders responsible and
the teams implementing it
2. Similar credentials, use similar tools and techniques
3. Similar interest in effective controls and contributing to the organizations
success
4. Common interest in the Board receiving quality information
(Plans, Risks, and Performance.)
IRM – Positioned to do / not do
Board of Directors
Integrated
Risk Mgmt.
Internal
Audit
Positioned to do / not do:
1. Develop professional relationship with Audit
2. Explore possibilities of how we can achieve greater effect
3. Share information on process, what: is working / needs improvement
4. Share content information – risk information is primarily the responsibility
of the function owner
Engagement and Value Gained
Board of Directors
Integrated
Risk Mgmt.
Internal
Audit
Value gained by better engagement:
1. Synergistic effect on strategy and its achievement
2. Potential to improve overall organizational control
3. Potential to strengthen ourselves
4. Potential to improve Board insight – “truth” vs “true”
Information on Strategy
Board of Directors
Strategy
Internal
Audit
Information on IRM
Board of Directors
Integrated
Risk Mgmt.
Internal
Audit
Information on Cyber Security Governance
Board of Directors
Internal
Audit
Cyber Security
Governance
Information on Insight for Internal Audit
Board of Directors
Internal
Audit
Risk Humor
The Cyber
Security Hub TM