“What does Synergy have to do

with it!”

John Delaney, BComm, CIA, CRMA, CRM, C. Dir.

Senior Planning Advisor

Royal Canadian Navy

Linking IA to Boards, Strategy

Risk Mgmt. and Cyber Security

April 25, 2019

Agenda

• Background

• The importance of strategy

• Personal journey with IRM

• Actions to increase insight and create synergy

• Practical ways to engage

• Your views and questions

Background

• Materiel Management ~ 9 yrs.

• Internal Audit ~ 16 yrs.

• Strategy ~ 3.5 yrs.

• IRM ~ 10.5 yrs.

• Business Management ~ 1 yr.

• Chartered Director – McMaster University

• Volunteer and Mgmt. Boards

Quote

“Results are gained by exploiting opportunities, not by solving

problems.” Peter Drucker

Most Important Tasks of any Board

Strategy Definition

Product/Market Matrix

Principle Causes of Performance Failure

Questions to Ponder

• Shouldn’t being constructively engaged in the organization’s

strategy also be a priority of Internal Audit, Risk Management,

Cyber Security and others?

• Are we currently involved in contributing to our organization’s

strategy?

• Are we currently working with professional partners towards

achieving the organization's strategy?

Proposition

Because of the importance of strategy to the long-term success of

the organization - being constructively engaged must be a priority

of Internal Audit, Risk Management and Cyber Security.

2019 2029

Personal Journey with IRM

Principles - Road Map & Lessons Learned

In 2011, embarked on a complex journey and needed a map.

Framework - ISO 31000 Risk Management Principles and

Guidelines.

Practical implementation principles – based on a study of prior

program failures.

- Proceed incrementally

- Gain senior executive support

- Gain staff and middle management support

- Integrate the new practice into the existing planning and

management regime

Commit and MandateNAVORD

IRM Policy StatementIRM Guidelines

RM Plan and RM ProcessAssurance Plan

Communicate & TrainStakeholder analysis

Training needs analysisCommunication strategy

Training strategyRoles and Reporting

Structure & AccountabilityBoard RM CommitteeExecutive RM GroupRM Working Group

Manager Risk ManagementRM Champions

Risk and Control Owners

Review & ImproveControl assuranceRM Plan Progress

RM Maturity EvaluationRM KPIs

BenchmarkingGovernance reporting Framework

Implementation

Management Information System / Risk Registers / Treatment Plans

/ Assurance Plan / Reporting templates

Framework Implementation

Establish context

Identify risks

Analyse risks

Evaluate risks

Treat risks

Co

mm

un

icate

an

d co

nsu

lt

Mo

nito

r an

d re

vie

w

Risk assessment Steps

Process for Managing Risk

Fram

ew

ork

Imp

lem

en

tatio

nCo

nti

nu

ou

s Im

pro

vem

en

t C

ycl

e

Q31001-11 – Implementation Guide

four elements

which provide the

foundation for

designing,

implementing,

monitoring and

continual

improvement of RM.

Includes:

a well defined

process for

managing risk,

and

Guide Posts

“What you do has far greater impact than

what you say.”

Stephen Covey

“Getting action is preceded by building a

positive relationship and then exploring

possibilities.” Bob Chartier

Engagement – Building Relationships

• Arranged Leadership Roundtable Discussions in each Region

– Pacific Region

– National Capital Region

– Atlantic Region

• Sponsored Annual Professional IRM Training & Facilitated Discussions

– Regional Review Team

– Regional Business Planners

– Regional Naval Engineering Teams

• Purchased, Shared and Discussed Risk Management Publications

– Risk Management for Dummies

– ISO31000

• Engaged Risk Champions

– System Development

– Initial Practice & Trial Teams

– Customization

Techniques – Exploring Possibilities

• Show them and they will see

– Provided Direction, Guidelines and Templates

• Tell them and they will hear

– Targeted Risk Management Training

– Shared the Impact of their Efforts

– Exposed our Challenges

• Involve them and they will understand

– Facilitated Workshops & Risk Discussions

– Provided Sample Roadmaps / Tools / Presentations

– Supported Risk Profile Development

– Encouraged Feedback

– Maintained Flexibility

Value of Risk Management

• Focuses Effort:

– on the specific interests of the governance board/s related to the organization’s threats

& opportunities;

– on the goals and strategic objectives of the organization;

– on the system of compliance and oversight.

Developing Trust

The Team and Factors to Consider

Board of Directors

Integrated

Risk Mgmt.Strategy

Internal

Audit

CFO

CEO

Cyber Security

Governance

Needs

Strengths

Positioned to do / not do

Value

IRM and their Needs

Board of Directors

Integrated

Risk Mgmt.

Internal

Audit

Needs:

1. Understand the IRM Standard

2. Appreciate of the context

3. Understand the maturity model and indicators

4. Customize your Audit Criteria, discuss it and share it with the Auditee early on

5. Point out strengths and deficiencies

6. Consider developing an ongoing professional relationship with IRM

IRM and their Strengths

Board of Directors

Integrated

Risk Mgmt.

Internal

Audit

Strengths:

1. Knowledge of the organization’s strategy, the leaders responsible and

the teams implementing it

2. Similar credentials, use similar tools and techniques

3. Similar interest in effective controls and contributing to the organizations

success

4. Common interest in the Board receiving quality information

(Plans, Risks, and Performance.)

IRM – Positioned to do / not do

Board of Directors

Integrated

Risk Mgmt.

Internal

Audit

Positioned to do / not do:

1. Develop professional relationship with Audit

2. Explore possibilities of how we can achieve greater effect

3. Share information on process, what: is working / needs improvement

4. Share content information – risk information is primarily the responsibility

of the function owner

Engagement and Value Gained

Board of Directors

Integrated

Risk Mgmt.

Internal

Audit

Value gained by better engagement:

1. Synergistic effect on strategy and its achievement

2. Potential to improve overall organizational control

3. Potential to strengthen ourselves

4. Potential to improve Board insight – “truth” vs “true”

Information on Strategy

Board of Directors

Strategy

Internal

Audit

Information on IRM

Board of Directors

Integrated

Risk Mgmt.

Internal

Audit

Information on Cyber Security Governance

Board of Directors

Internal

Audit

Cyber Security

Governance

Information on Insight for Internal Audit

Board of Directors

Internal

Audit

Risk Humor

The Cyber

Security Hub TM

E-Mail: JDelaney@ns.sympatico.ca

Thank-you!

Questions?