Sohayla Fitzpatrick's Posts (9)

Sort by

What does Cyber Security Information look like?

  • New threats:
  • A Leading indicator of Risk...Threats are all around us, why count them?
    • What haven't we seen before -what we don't know can hurt us
    • Are new threats arriving faster?
    • Is the pattern normal?
  • Security backlog:
  • Identify - Protect - Detect - Respond - Recover...Repeat!
    • A workload measure - how much work is there for my security operations team?
    • Is the "haystack" of events becoming overwhelming?
    • How well is the capacity of my team being utilized?
  • Defense Effectiveness:
  • Bating Wire and Duct Tape...Are we treating the symptom or the cause
    • What are the most persistent threats?
    • Are we mitigating threats and vulnerabilities efficiently?
    • Which controls work and which ones need to be retired?

Economic view of risk in IT Operations:

FAIR Ontology is a good model to use.

Bringing the Model to life by:

  • High Relevance
  • Some Relevance
  • Model Only

If Models are current, good and useful, they should be used for KRIs.

Read more…

Five key areas of risk in related to CLM:

  • Can you quickly search, locate and track your agreements or report on key data points?  (On average, companies use 5% of their revenue as costs of CLM)
    • Secure, central repository
    • Capture contract type centric data
    • Report on key data points
  • Key dates and obligatiions
    • Proactive email alerts.
    • Action item tracking.
    • Calendars and to do lists.
  • Business rules and compliance
    • Create business rules and workflows.
    • Analyze requirements and KPI's.
    • Uncover bottlenecks while improving compliance.
  • Contract language and redlining
    • Create agreements using approved language
    • Complete document routing
    • Version control and auto-compare
  • Role-based security
    • Robust security controls
    • Enforce security at different stages
    • Integration with Active Directory.
Read more…

Internal Audit (IA) is uniquely positioned to use its cross functional / external perspective to provide strategic guidance to the business while balancing the need to perform its traditional work.

Align IA with the most significant business risks:

  • Lead the enterprise wide business risk assessment focused on business risk, not solely financial statement or auditable risks.
  • Keep the business risk assessment refreshed with emerging risks and business changes.
  • Set the audit plan to address highest potential risk areas.  Continuously re-assess and adjust real time.
  • Facilitate dialogue on acceptable levels of risk tolerance and alternative risk mitigation.

Shift hours from compliance to advisory work:

  • Specific hours set aside in the audit plan.
  • Partner with the business to address control issues identified, process challenges, business changes, etc.
    • Trade spend optimization
    • Control Health Checks
    • Process / control documentation for business implementations
    • Contingency planning for sole source providers
  • Audit Committee and / or executive management requests early in the process.
  • Focus on the business risk.
  • Customize solutions.

Balance objectivity with strong relationships:

  • Partner with the business.  Understand business goals / objectives and how audit can help enable them.
  • Relationships matter.
  • Establish credibility
  • Audit is intimidating.  Being approachable is critical.
  • Watch out:  maintaining independence (perception of not being objective)

Practice what you preach:  eliminate costs and inefficiencies:

  • Eliminate and / or reduce lower risk audits.
  • Assess IA's processes to eliminate non value added work.
  • Leverage non audit internal resources to complete traditional compliance work with IA reviewing.
  • Simplify reporting.
  • Manage travel and expenses.


  • As the business evolves, IA needs to evolve with it.
  • Finding the balance of traditional audit and business partnership is powerful.
  • Continuous re-assessment is required.
Read more…

The Here and Now:



Around the Corner:

Talent avaialbity

Fiscal crises, sustainability demands and social instability

On the Horizon:

Climate change, water crises, large scale involuntary migrations.Emerging technologies

Strategy is about making choices.  Think about:

What creates Value in your organization?

How is value Captured?

How is Strategy set, communicated and executed?

What is the actual Attitude towards risk management?

Does the organization's Culture support a strategic risk management approach?

Good Decision making steps:

1. Frame:  issue/need defined

2. Doable alternatives

3. Meaningful, reliable informaiton

4. Developing options

5. Clear values and trade-offs

6. Logically, correct reasoning

7. Acting on the decision

Strategic Risk Management (SRM) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization's strategy and strategy execution.

Read more…

Technology / Cyber Threat Detection:

Solution:  Software that aids in detection that is sophisticated, bidirectional, real time and predictive.

How do we gauge the solution's efficacy?  Look at a number of solutions and triangulate among them; look at number of actual events versus false positives.  

Lessons learned:
Detection:  Data vs intelligence
Accuracy:  No or minimal false positives
Simple and Customizable Rules Management
Response time and SLA

Read more…
Alexis:The OCC deems ops risk at the top of safety and soundness.Legacy systems that don't speak toMisaligned incentivesPoor oversight of third partiesProcedural breakdown of processesHow the CROs to identify and elevate the right decision pointsChallengesChallenge 1Op risk is a different animal.Opportunity 1Treat op risk as unique. Root cause and scenario vs statistical approachDiffuse decision making vs a few specific choke pointsUncapped risk vs capped risk (loans) the tail can be very long other similar things are looming in the background and a signalFewer more heterogeneous data points vs more and more homogeneous data points.Challenge 2Emphasis is based on measurementOp risk has not been able to prove its valueInstitutions spend time on measuring and don't get to understand the output and feel like they can't prove value. Which controls are important most? The ability to turn all the data into meaningful controls to be tangible. Of the 3000 controls which 100 are most important or which 20 we haven't thought about.Opportunity 2Identify the regulatory issues at process level.Challenge 3It is decentralized and makes it difficult to understand risksThe nature of businesses and how op risk presents itself variesTherefore making direct correlations is hard.Opportunity 3Ensure consistency in evaluation and measurement. Risk heat map by unitChallenge 4So who's responsible? Ops, unit, QA ahead of audit, audit, business /product leaders, corp risk, compliance, otherOpportunity 4Rigorously clarify roles and responsibilitiesChallenge 5Culture is an afterthought, too soft to tackle, all about incentives,Opportunity 5Culture is at the heart And can be shaped by leaders. Break it down so that you can id and measure it and have a conversation.Transparency, do I know what my risks areAcknowledgement of risks, do we talk about them, denial, shoot the messengerResponsiveness, proactive and reactive.Respect, the degree to which firm thinks that risk is everyone's business. The key is to have a taxonomy.Recognize op risk is unique build strong muscle to deal with itMake it decision basedEnsure consistency in elevation and managementRoles and responsibilityCultureIf the last 5 years have been all about credit ris, The next 5 years op risk will be at the hear of the risks
Read more…
What is risk culture?System of values and mandates and has to evolve. It has to be imbedded. If business presents Wednesday and risk Thursday there needs to be an embeddingRegulations are too prescriptive...when their knowledge of our business is not as rich as it could be.How do you design and Benchmark for risk culture? It is company specific...a range of options, i.e., a monthly risk meeting with the management and showing metrics to demonstrate what has changed and improved.How do u keep your management spend for the spirit of the law not just the letter of the law?Most firms have to prioritize spending.Regulatory reporting is the letter of the law and the cost of doing business and internal awareness, monitoring and reporting is more the spirit of the law.How do you think of Risk appetite?Track and analyze your appetite to lose money. You need to have relative and real performance to see, quantify, demonstrate and decide. Try VaR and stress testing.How do you manage the risk of having conflicting metrics?The metric has to have an actionable result otherwise why pay attention to it.
Read more…
Notes from a presentation on Behavior Risk Culture by Juergen Fiedler Deutche Bank at the RiskMinds USA in Boston.What does Risk culture look like?It is One of five strategic objectivesBuy in from the topDedicated risk culture programPlace co. Reputation at heart of everythingFour program work streams implemented:Communication:Set expectations, corp wide and divisional via senior Management videos and intranet communicationTrainingAccountability, hold people accountable Take red flags into consideration in promotion, compensation, performance rating.MonitoringIncludes tone at top campaignConsistent strategic risk culture tahini gStrong link to objective setting and year end reviewStrong link to compensation and promotion process thru red flagsGap analysis, year end evaluation, mandatory online training including new product awarenessHave 2-day risk management conference and spent one day on culture
Read more…
Notes from the presentation by Elizabeth Mays PNC Financial on Running an Efficient Model Risk Management:Creation of a MRM Framework:Roles responsibilitiesPolicies proceduresGovernance oversight, risk appetite1. Roles of MRM: risk Identification2. Identify tier models3.Identify Sources of model-related risk:Faulty modelsMisuse of modelsModels operating in an uncontrolled environment4. Identify mofdel-specific risk throughRisk communication1. Communicate roles responsibilities for model risk management2. Independent model review report, include the version number3. Summary risk reports to Bank's:Business leadersOversight committeesBoardEnsure risk mitigation:Impose conservatism by making adjustments to models. Overlays to output to compare.
Read more…